Skip to main content

WPForms CVE-2026-48835

| EUVDEUVD-2026-36843 HIGH
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-xhpp-7jwj-prh5
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network request to a WordPress plugin endpoint missing authorization checks; integrity-only impact per CWE-862 access-control bypass, no confidentiality or availability effect described.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:51 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in Contact Form by WPForms <= 1.10.0.4 versions.

AnalysisAI

Broken access control in the Contact Form by WPForms plugin (versions <= 1.10.0.4) for WordPress allows remote unauthenticated attackers to perform unauthorized actions affecting data integrity. The flaw stems from missing authorization checks (CWE-862) on plugin functionality, enabling tampering without any credentials or user interaction. No public exploit identified at time of analysis, and EPSS data was not provided in the input.

Technical ContextAI

WPForms (also known as Contact Form by WPForms / wpforms-lite) is one of the most widely deployed WordPress form-builder plugins, developed by Awesome Motive (CPE: awesomemotive:contact_form_by_wpforms). The root cause is CWE-862 (Missing Authorization), meaning one or more plugin endpoints - typically exposed via WordPress AJAX or REST handlers - execute privileged operations without verifying the caller's capability (e.g., current_user_can) or nonce. Because WordPress plugins commonly register admin-ajax.php actions that are reachable by anonymous users when the underlying handler omits an authorization gate, an unauthenticated HTTP request alone is sufficient to invoke the affected functionality.

RemediationAI

Upgrade Contact Form by WPForms to a version newer than 1.10.0.4 via the WordPress plugin updater as soon as a fixed release is published; consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wpforms-lite/vulnerability/wordpress-contact-form-by-wpforms-plugin-1-10-0-4-broken-access-control-vulnerability) for the exact patched version, as the input data does not name one. Patch available per vendor advisory but exact fix version is not independently confirmed from the provided data. Until the update is applied, compensating controls include restricting access to /wp-admin/admin-ajax.php and the WordPress REST API endpoints exposed by WPForms via a WAF rule or Patchstack/Wordfence virtual patch, temporarily deactivating the plugin if the form functionality is non-critical (side effect: contact forms stop rendering and submissions are lost), or scoping IP allow-lists to admin-area requests (side effect: may break legitimate front-end form submissions if applied too broadly). Audit form configurations, submitted entries, and plugin settings for unexpected changes after exposure.

Share

CVE-2026-48835 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy