Skip to main content

Contact Form By Wpforms

4 CVEs product

Monthly

CVE-2026-48835 HIGH This Week

Broken access control in the Contact Form by WPForms plugin (versions <= 1.10.0.4) for WordPress allows remote unauthenticated attackers to perform unauthorized actions affecting data integrity. The flaw stems from missing authorization checks (CWE-862) on plugin functionality, enabling tampering without any credentials or user interaction. No public exploit identified at time of analysis, and EPSS data was not provided in the input.

Authentication Bypass Contact Form By Wpforms
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-40764 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Cross Site Request Forgery.This issue affects Contact Form by WPForms: from n/a through <= 1.10.0.2.

CSRF Contact Form By Wpforms
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-25339 MEDIUM This Month

Contact Form by WPForms versions up to 1.9.8.7 contain an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201) that allows attackers to retrieve embedded sensitive data from contact form submissions. This information disclosure flaw affects the popular WordPress plugin maintained by Syed Balkhi, potentially exposing user data submitted through contact forms. While CVSS and EPSS scores are not yet published and KEV/POC status is unknown, the vulnerability was reported through Patchstack and tracked under ENISA EUVD-2026-15649.

Information Disclosure Contact Form By Wpforms
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32446 MEDIUM This Month

Inadequate authorization controls in WPForms Contact Form plugin version 1.9.9.3 and earlier permit authenticated users to bypass access restrictions and view sensitive form data. An attacker with low-privileged credentials could leverage misconfigured access controls to access information they should not be permitted to view. No patch is currently available for this vulnerability.

Authentication Bypass Contact Form By Wpforms
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
EPSS 0% CVSS 7.5
HIGH This Week

Broken access control in the Contact Form by WPForms plugin (versions <= 1.10.0.4) for WordPress allows remote unauthenticated attackers to perform unauthorized actions affecting data integrity. The flaw stems from missing authorization checks (CWE-862) on plugin functionality, enabling tampering without any credentials or user interaction. No public exploit identified at time of analysis, and EPSS data was not provided in the input.

Authentication Bypass Contact Form By Wpforms
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Cross Site Request Forgery.This issue affects Contact Form by WPForms: from n/a through <= 1.10.0.2.

CSRF Contact Form By Wpforms
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Contact Form by WPForms versions up to 1.9.8.7 contain an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201) that allows attackers to retrieve embedded sensitive data from contact form submissions. This information disclosure flaw affects the popular WordPress plugin maintained by Syed Balkhi, potentially exposing user data submitted through contact forms. While CVSS and EPSS scores are not yet published and KEV/POC status is unknown, the vulnerability was reported through Patchstack and tracked under ENISA EUVD-2026-15649.

Information Disclosure Contact Form By Wpforms
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Inadequate authorization controls in WPForms Contact Form plugin version 1.9.9.3 and earlier permit authenticated users to bypass access restrictions and view sensitive form data. An attacker with low-privileged credentials could leverage misconfigured access controls to access information they should not be permitted to view. No patch is currently available for this vulnerability.

Authentication Bypass Contact Form By Wpforms
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy