Skip to main content

WordPress EUVD-2026-17763

| CVE-2026-3831 MEDIUM
Missing Authorization (CWE-862)
2026-04-01 Wordfence
WordPress Authentication Bypass Elementor
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 01, 2026 - 01:45 euvd
EUVD-2026-17763
Analysis Generated
Apr 01, 2026 - 01:45 vuln.today
CVE Published
Apr 01, 2026 - 01:24 nvd
MEDIUM 4.3

DescriptionCVE.org

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the entries_shortcode() function in all versions up to, and including, 1.4.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract all form submissions - including names, emails, phone numbers.

AnalysisAI

Authenticated attackers with Contributor-level access or above can extract all form submissions from the Database for Contact Form 7, WPforms, Elementor Forms WordPress plugin (versions up to 1.4.9) via a missing capability check in the entries_shortcode() function, exposing names, emails, phone numbers, and other sensitive form data. The vulnerability requires existing WordPress user credentials but no administrative privileges, making it accessible to low-privileged users who may be granted contributor roles during normal site operations. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment This vulnerability presents a moderate real-world risk despite its relatively low CVSS score of 4.3. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated WordPress user with Contributor status (such as a freelance writer or external content partner) discovers the plugin is installed on the site and calls the entries_shortcode() function via a shortcode or direct function invocation. Due to the missing capability check, the function returns all stored form submissions without validating whether the attacker holds administrative privileges, allowing the contributor to dump complete form entry data including customer names, email addresses, and phone numbers to a text file or CSV export. …
Remediation Update the Database for Contact Form 7, WPforms, Elementor Forms plugin to version 1.4.10 or later immediately. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-8157 HIGH POC
8.8 Jun 22

The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new u
CVE-2026-8089 HIGH POC
7.1 Jun 17

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin

CVE-2026-9570 HIGH POC
7.1 Jun 17

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline

CVE-2026-4259 HIGH POC
7.1 Jun 22

The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outp
CVE-2026-6858 HIGH POC
7.1 Jun 22

The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthen

Share

EUVD-2026-17763 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy