Skip to main content

Contact Form Email CVE-2026-32483

| EUVDEUVD-2026-15825 MEDIUM
Missing Authorization (CWE-862)
2026-03-25 Patchstack
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15825
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
MEDIUM 6.5

DescriptionCVE.org

Missing Authorization vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.63.

AnalysisAI

Improper access control in Contact Form Email plugin version 1.3.63 and earlier allows authenticated attackers to modify or inject unauthorized data through inadequately restricted endpoints. An attacker with low-privilege access can exploit misconfigured security levels to manipulate form submissions or sensitive information without proper authorization checks.

Technical ContextAI

The Contact Form Email plugin for WordPress (identified by CPE cpe:2.3:a:codepeople:contact_form_email:*:*:*:*:*:*:*:*) is a form-building utility that handles email delivery and contact data processing. The vulnerability stems from CWE-862 (Missing Authorization), a fundamental access control flaw where the plugin fails to properly verify user permissions before allowing sensitive operations. WordPress plugins execute within the WordPress permission framework (capabilities system), and this vulnerability suggests the plugin lacks proper capability checks (such as current_user_can() or wp_verify_nonce()) on critical endpoints or admin functions, allowing unauthenticated or low-privileged users to bypass intended authorization controls and manipulate form settings, access submissions, or inject malicious data.

RemediationAI

Immediately upgrade CodePeople Contact Form Email to a version later than 1.3.63 (consult the vendor or Patchstack for the specific patched release version). WordPress site administrators should access the WordPress plugin management interface, locate Contact Form Email, and apply any available updates. Until a patch is deployed, implement the following interim controls: restrict WordPress admin access to trusted IP ranges via .htaccess or Web Application Firewall rules, disable the plugin if it is not actively required for site operations, and audit recent form submissions and plugin configuration changes for signs of unauthorized access. Additionally, enforce strong authentication for all WordPress user accounts, enable two-factor authentication, and monitor access logs for suspicious activity targeting the plugin's endpoints.

Share

CVE-2026-32483 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy