Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through <= 1.9.9.3.
AnalysisAI
Inadequate authorization controls in WPForms Contact Form plugin version 1.9.9.3 and earlier permit authenticated users to bypass access restrictions and view sensitive form data. An attacker with low-privileged credentials could leverage misconfigured access controls to access information they should not be permitted to view. No patch is currently available for this vulnerability.
Technical ContextAI
Contact Form by WPForms is a popular WordPress plugin (CPE: cpe:2.3:a:syed_balkhi:wpforms-lite) that handles form submissions and user data collection. The vulnerability stems from CWE-862 (Missing Authorization), a critical access control defect where the application fails to properly enforce authorization checks before exposing sensitive operations or data. Rather than a coding error in a specific library, this represents a logical flaw in the plugin's capability-checking mechanism—likely missing calls to WordPress capability functions (such as current_user_can()) or inadequate role-based access controls on administrative or form-related endpoints. The affected versions up to 1.9.9.3 did not consistently validate whether users had appropriate permissions before allowing them to view or interact with form-related resources.
RemediationAI
Upgrade Contact Form by WPForms to a patched version greater than 1.9.9.3 as soon as possible; check the official WPForms plugin page or vendor security advisories for the exact fixed version number and upgrade via the WordPress plugin dashboard. Until patching is feasible, implement compensating controls by restricting user roles and capabilities—remove subscriber or contributor access to form management endpoints if not required for your workflow, and audit existing user permissions to limit low-privilege accounts. Additionally, monitor form submissions and access logs for unauthorized access attempts, and consider temporarily disabling form functionality on less critical forms until patching is complete. Enable WordPress security plugins that enforce stricter authorization checks or log suspicious capability-related activities.
More in Contact Form By Wpforms
View allCross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Cross Site Re
Broken access control in the Contact Form by WPForms plugin (versions <= 1.10.0.4) for WordPress allows remote unauthent
Contact Form by WPForms versions up to 1.9.8.7 contain an Insertion of Sensitive Information Into Sent Data vulnerabilit
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11991