Skip to main content

Contact Form By Wpforms CVE-2026-32446

| EUVDEUVD-2026-11991 MEDIUM
Missing Authorization (CWE-862)
2026-03-13 Patchstack
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11991
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:42 nvd
MEDIUM 4.3

DescriptionCVE.org

Missing Authorization vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through <= 1.9.9.3.

AnalysisAI

Inadequate authorization controls in WPForms Contact Form plugin version 1.9.9.3 and earlier permit authenticated users to bypass access restrictions and view sensitive form data. An attacker with low-privileged credentials could leverage misconfigured access controls to access information they should not be permitted to view. No patch is currently available for this vulnerability.

Technical ContextAI

Contact Form by WPForms is a popular WordPress plugin (CPE: cpe:2.3:a:syed_balkhi:wpforms-lite) that handles form submissions and user data collection. The vulnerability stems from CWE-862 (Missing Authorization), a critical access control defect where the application fails to properly enforce authorization checks before exposing sensitive operations or data. Rather than a coding error in a specific library, this represents a logical flaw in the plugin's capability-checking mechanism—likely missing calls to WordPress capability functions (such as current_user_can()) or inadequate role-based access controls on administrative or form-related endpoints. The affected versions up to 1.9.9.3 did not consistently validate whether users had appropriate permissions before allowing them to view or interact with form-related resources.

RemediationAI

Upgrade Contact Form by WPForms to a patched version greater than 1.9.9.3 as soon as possible; check the official WPForms plugin page or vendor security advisories for the exact fixed version number and upgrade via the WordPress plugin dashboard. Until patching is feasible, implement compensating controls by restricting user roles and capabilities—remove subscriber or contributor access to form management endpoints if not required for your workflow, and audit existing user permissions to limit low-privilege accounts. Additionally, monitor form submissions and access logs for unauthorized access attempts, and consider temporarily disabling form functionality on less critical forms until patching is complete. Enable WordPress security plugins that enforce stricter authorization checks or log suspicious capability-related activities.

Share

CVE-2026-32446 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy