Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Unauthenticated network request to a WordPress plugin endpoint missing authorization checks; integrity-only impact per CWE-862 access-control bypass, no confidentiality or availability effect described.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in Contact Form by WPForms <= 1.10.0.4 versions.
AnalysisAI
Broken access control in the Contact Form by WPForms plugin (versions <= 1.10.0.4) for WordPress allows remote unauthenticated attackers to perform unauthorized actions affecting data integrity. The flaw stems from missing authorization checks (CWE-862) on plugin functionality, enabling tampering without any credentials or user interaction. No public exploit identified at time of analysis, and EPSS data was not provided in the input.
Technical ContextAI
WPForms (also known as Contact Form by WPForms / wpforms-lite) is one of the most widely deployed WordPress form-builder plugins, developed by Awesome Motive (CPE: awesomemotive:contact_form_by_wpforms). The root cause is CWE-862 (Missing Authorization), meaning one or more plugin endpoints - typically exposed via WordPress AJAX or REST handlers - execute privileged operations without verifying the caller's capability (e.g., current_user_can) or nonce. Because WordPress plugins commonly register admin-ajax.php actions that are reachable by anonymous users when the underlying handler omits an authorization gate, an unauthenticated HTTP request alone is sufficient to invoke the affected functionality.
RemediationAI
Upgrade Contact Form by WPForms to a version newer than 1.10.0.4 via the WordPress plugin updater as soon as a fixed release is published; consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wpforms-lite/vulnerability/wordpress-contact-form-by-wpforms-plugin-1-10-0-4-broken-access-control-vulnerability) for the exact patched version, as the input data does not name one. Patch available per vendor advisory but exact fix version is not independently confirmed from the provided data. Until the update is applied, compensating controls include restricting access to /wp-admin/admin-ajax.php and the WordPress REST API endpoints exposed by WPForms via a WAF rule or Patchstack/Wordfence virtual patch, temporarily deactivating the plugin if the form functionality is non-critical (side effect: contact forms stop rendering and submissions are lost), or scoping IP allow-lists to admin-area requests (side effect: may break legitimate front-end form submissions if applied too broadly). Audit form configurations, submitted entries, and plugin settings for unexpected changes after exposure.
More in Contact Form By Wpforms
View allCross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Cross Site Re
Contact Form by WPForms versions up to 1.9.8.7 contain an Insertion of Sensitive Information Into Sent Data vulnerabilit
Inadequate authorization controls in WPForms Contact Form plugin version 1.9.9.3 and earlier permit authenticated users
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36843
GHSA-xhpp-7jwj-prh5