Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.63.
AnalysisAI
Improper access control in Contact Form Email plugin version 1.3.63 and earlier allows authenticated attackers to modify or inject unauthorized data through inadequately restricted endpoints. An attacker with low-privilege access can exploit misconfigured security levels to manipulate form submissions or sensitive information without proper authorization checks.
Technical ContextAI
The Contact Form Email plugin for WordPress (identified by CPE cpe:2.3:a:codepeople:contact_form_email:*:*:*:*:*:*:*:*) is a form-building utility that handles email delivery and contact data processing. The vulnerability stems from CWE-862 (Missing Authorization), a fundamental access control flaw where the plugin fails to properly verify user permissions before allowing sensitive operations. WordPress plugins execute within the WordPress permission framework (capabilities system), and this vulnerability suggests the plugin lacks proper capability checks (such as current_user_can() or wp_verify_nonce()) on critical endpoints or admin functions, allowing unauthenticated or low-privileged users to bypass intended authorization controls and manipulate form settings, access submissions, or inject malicious data.
RemediationAI
Immediately upgrade CodePeople Contact Form Email to a version later than 1.3.63 (consult the vendor or Patchstack for the specific patched release version). WordPress site administrators should access the WordPress plugin management interface, locate Contact Form Email, and apply any available updates. Until a patch is deployed, implement the following interim controls: restrict WordPress admin access to trusted IP ranges via .htaccess or Web Application Firewall rules, disable the plugin if it is not actively required for site operations, and audit recent form submissions and plugin configuration changes for signs of unauthorized access. Additionally, enforce strong authentication for all WordPress user accounts, enable two-factor authentication, and monitor access logs for suspicious activity targeting the plugin's endpoints.
More in Contact Form Email
View allThe Contact Form Email plugin before 1.2.66 for WordPress allows wp-admin/admin.php item XSS, related to cp_admin_int_ed
The Contact Form Email WordPress plugin before 1.3.38 does not escape submitted values before displaying them in the HTM
The Contact Form Email WordPress plugin before 1.3.44 does not sanitise and escape some of its settings, which could all
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in CodePeople Contact Form Email.3.44. Rated me
The Contact Form Email WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validatio
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15825