Skip to main content

Contact Form Entries CVE-2026-9145

| EUVDEUVD-2026-41273 MEDIUM
Path Traversal (CWE-22)
2026-07-02 Wordfence GHSA-hhr7-mvm5-p73g
6.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.5 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
vuln.today AI
6.5 MEDIUM

AC:H reflects mandatory Elementor Pro co-dependency; PR:N confirmed unauthenticated; C:H for arbitrary server file read; I:L for blind file copy with no direct write control.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 10:22 vuln.today
CVE Published
Jul 02, 2026 - 09:32 cve.org
MEDIUM 6.5

DescriptionCVE.org

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Arbitrary File Copy via the create_entry_el() function in versions up to, and including, 1.5.1. The function reads raw_value from Elementor Pro's Form_Record object for upload-type fields and passes it directly to PHP's copy() without validating that the value corresponds to a legitimately uploaded file - when no file is present in $_FILES, raw_value reflects the attacker-controlled POST string. copy() accepts both local filesystem paths and URL sources, so the attacker can target any file readable by the PHP process or supply an attacker-controlled remote URL. Elementor Pro is a prerequisite for triggering the code path (it owns the elementor_pro/forms/new_record hook and populates the Form_Record object), but the bug itself is entirely in Contact Form Entries' handler. This could allow unauthenticated attackers to disclose arbitrary files on the affected site's server. The file is copied to a directory unknown to the attacker; the hashed directory name provides defense-in-depth but is generated from non-cryptographic sources (uniqid() + rand()) and should not be relied upon as the primary mitigation.

AnalysisAI

Arbitrary file copy in the Database for Contact Form 7, WPforms, Elementor Forms WordPress plugin (versions ≤ 1.5.1) exposes any file readable by the PHP process to unauthenticated network attackers. The create_entry_el() function accepts attacker-controlled POST data as a file path and passes it directly to PHP's copy(), which transparently accepts both local filesystem paths and remote URLs - enabling server file exfiltration or remote resource staging. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with Elementor Pro and Contact Form Entries ≤ 1.5.1
Delivery
Locate Elementor Pro form with upload-type field
Exploit
Submit POST request with raw_value set to target file path
Execution
create_entry_el() passes value to PHP copy() without validation
Persist
Sensitive file copied to server-side hashed directory
Impact
Chain with secondary info leak to retrieve copied file

Vulnerability AssessmentAI

Exploitation Exploitation requires three co-present conditions: (1) the Contact Form Entries plugin version ≤ 1.5.1 must be installed and active; (2) Elementor Pro must be installed and active on the same WordPress instance - it is the sole provider of the `elementor_pro/forms/new_record` action hook that triggers `create_entry_el()`; and (3) at least one Elementor Pro form must contain an upload-type field, which causes the Form_Record object to expose `raw_value` for that field. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N, score 6.5) correctly captures the dual nature of this flaw: unauthenticated and network-reachable, but gated behind a high-complexity precondition (Elementor Pro must be installed and a form with an upload-type field must exist). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker submits a crafted POST request to a WordPress site running both Elementor Pro and Contact Form Entries ≤ 1.5.1, targeting an Elementor Pro form that includes an upload-type field. The attacker sets the upload field's POST value to an absolute path such as `/var/www/html/wp-config.php`; because no file exists in `$_FILES`, `create_entry_el()` treats this string as `raw_value` and passes it to `copy()`, which copies the configuration file into the plugin's hashed upload staging directory. …
Remediation No patched version has been independently confirmed from the available data - the only Trac references point to the vulnerable 1.5.1 tag, and no changelog entry or newer release tag is cited in the references. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-9145 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy