Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
AC:H reflects mandatory Elementor Pro co-dependency; PR:N confirmed unauthenticated; C:H for arbitrary server file read; I:L for blind file copy with no direct write control.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Arbitrary File Copy via the create_entry_el() function in versions up to, and including, 1.5.1. The function reads raw_value from Elementor Pro's Form_Record object for upload-type fields and passes it directly to PHP's copy() without validating that the value corresponds to a legitimately uploaded file - when no file is present in $_FILES, raw_value reflects the attacker-controlled POST string. copy() accepts both local filesystem paths and URL sources, so the attacker can target any file readable by the PHP process or supply an attacker-controlled remote URL. Elementor Pro is a prerequisite for triggering the code path (it owns the elementor_pro/forms/new_record hook and populates the Form_Record object), but the bug itself is entirely in Contact Form Entries' handler. This could allow unauthenticated attackers to disclose arbitrary files on the affected site's server. The file is copied to a directory unknown to the attacker; the hashed directory name provides defense-in-depth but is generated from non-cryptographic sources (uniqid() + rand()) and should not be relied upon as the primary mitigation.
AnalysisAI
Arbitrary file copy in the Database for Contact Form 7, WPforms, Elementor Forms WordPress plugin (versions ≤ 1.5.1) exposes any file readable by the PHP process to unauthenticated network attackers. The create_entry_el() function accepts attacker-controlled POST data as a file path and passes it directly to PHP's copy(), which transparently accepts both local filesystem paths and remote URLs - enabling server file exfiltration or remote resource staging. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three co-present conditions: (1) the Contact Form Entries plugin version ≤ 1.5.1 must be installed and active; (2) Elementor Pro must be installed and active on the same WordPress instance - it is the sole provider of the `elementor_pro/forms/new_record` action hook that triggers `create_entry_el()`; and (3) at least one Elementor Pro form must contain an upload-type field, which causes the Form_Record object to expose `raw_value` for that field. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N, score 6.5) correctly captures the dual nature of this flaw: unauthenticated and network-reachable, but gated behind a high-complexity precondition (Elementor Pro must be installed and a form with an upload-type field must exist). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker submits a crafted POST request to a WordPress site running both Elementor Pro and Contact Form Entries ≤ 1.5.1, targeting an Elementor Pro form that includes an upload-type field. The attacker sets the upload field's POST value to an absolute path such as `/var/www/html/wp-config.php`; because no file exists in `$_FILES`, `create_entry_el()` treats this string as `raw_value` and passes it to `copy()`, which copies the configuration file into the plugin's hashed upload staging directory. … |
| Remediation | No patched version has been independently confirmed from the available data - the only Trac references point to the vulnerable 1.5.1 tag, and no changelog entry or newer release tag is cited in the references. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41273
GHSA-hhr7-mvm5-p73g