Contact Form By Wpforms
Monthly
Broken access control in the Contact Form by WPForms plugin (versions <= 1.10.0.4) for WordPress allows remote unauthenticated attackers to perform unauthorized actions affecting data integrity. The flaw stems from missing authorization checks (CWE-862) on plugin functionality, enabling tampering without any credentials or user interaction. No public exploit identified at time of analysis, and EPSS data was not provided in the input.
Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Cross Site Request Forgery.This issue affects Contact Form by WPForms: from n/a through <= 1.10.0.2.
Contact Form by WPForms versions up to 1.9.8.7 contain an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201) that allows attackers to retrieve embedded sensitive data from contact form submissions. This information disclosure flaw affects the popular WordPress plugin maintained by Syed Balkhi, potentially exposing user data submitted through contact forms. While CVSS and EPSS scores are not yet published and KEV/POC status is unknown, the vulnerability was reported through Patchstack and tracked under ENISA EUVD-2026-15649.
Inadequate authorization controls in WPForms Contact Form plugin version 1.9.9.3 and earlier permit authenticated users to bypass access restrictions and view sensitive form data. An attacker with low-privileged credentials could leverage misconfigured access controls to access information they should not be permitted to view. No patch is currently available for this vulnerability.
Broken access control in the Contact Form by WPForms plugin (versions <= 1.10.0.4) for WordPress allows remote unauthenticated attackers to perform unauthorized actions affecting data integrity. The flaw stems from missing authorization checks (CWE-862) on plugin functionality, enabling tampering without any credentials or user interaction. No public exploit identified at time of analysis, and EPSS data was not provided in the input.
Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Cross Site Request Forgery.This issue affects Contact Form by WPForms: from n/a through <= 1.10.0.2.
Contact Form by WPForms versions up to 1.9.8.7 contain an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201) that allows attackers to retrieve embedded sensitive data from contact form submissions. This information disclosure flaw affects the popular WordPress plugin maintained by Syed Balkhi, potentially exposing user data submitted through contact forms. While CVSS and EPSS scores are not yet published and KEV/POC status is unknown, the vulnerability was reported through Patchstack and tracked under ENISA EUVD-2026-15649.
Inadequate authorization controls in WPForms Contact Form plugin version 1.9.9.3 and earlier permit authenticated users to bypass access restrictions and view sensitive form data. An attacker with low-privileged credentials could leverage misconfigured access controls to access information they should not be permitted to view. No patch is currently available for this vulnerability.