FKIE_CVE-2026-0825

Vulnerability from fkie_nvd - Published: 2026-01-28 07:16 - Updated: 2026-01-29 16:31
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the CSV export functionality in all versions up to, and including, 1.4.5. This makes it possible for unauthenticated attackers to download sensitive form submission data containing personally identifiable information (PII) by accessing the CSV export endpoint with an export key that is exposed in publicly accessible page source code. The vulnerability is created because while the shortcode properly filters displayed entries by user, the CSV export handler completely bypasses this filtering and exports all entries regardless of user permissions.
References
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/contact-form-entries/tags/1.4.5/contact-form-entries.php#L76
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/contact-form-entries/trunk/contact-form-entries.php#L301
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/contact-form-entries/trunk/contact-form-entries.php#L76
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/contact-form-entries/trunk/templates/leads-table.php#L10
security@wordfence.comhttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442962%40contact-form-entries&new=3442962%40contact-form-entries&sfp_email=&sfph_mail=
security@wordfence.comhttps://www.wordfence.com/threat-intel/vulnerabilities/id/4048ae11-fece-42aa-baf3-c636c4875635?source=cve
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the CSV export functionality in all versions up to, and including, 1.4.5. This makes it possible for unauthenticated attackers to download sensitive form submission data containing personally identifiable information (PII) by accessing the CSV export endpoint with an export key that is exposed in publicly accessible page source code. The vulnerability is created because while the shortcode properly filters displayed entries by user, the CSV export handler completely bypasses this filtering and exports all entries regardless of user permissions."
    },
    {
      "lang": "es",
      "value": "El plugin Database para Contact Form 7, WPforms, formularios de Elementor para WordPress es vulnerable a una elusi\u00f3n de autorizaci\u00f3n debido a la falta de comprobaciones de capacidad en la funcionalidad de exportaci\u00f3n CSV en todas las versiones hasta la 1.4.5, ambas inclusive. Esto hace posible que atacantes no autenticados descarguen datos sensibles de env\u00edo de formularios que contienen informaci\u00f3n de identificaci\u00f3n personal (PII) al acceder al endpoint de exportaci\u00f3n CSV con una clave de exportaci\u00f3n que est\u00e1 expuesta en el c\u00f3digo fuente de la p\u00e1gina accesible p\u00fablicamente. La vulnerabilidad se crea porque, mientras que el shortcode filtra correctamente las entradas mostradas por usuario, el manejador de exportaci\u00f3n CSV elude completamente este filtrado y exporta todas las entradas independientemente de los permisos del usuario."
    }
  ],
  "id": "CVE-2026-0825",
  "lastModified": "2026-01-29T16:31:35.700",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security@wordfence.com",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-01-28T07:16:00.133",
  "references": [
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/contact-form-entries/tags/1.4.5/contact-form-entries.php#L76"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/contact-form-entries/trunk/contact-form-entries.php#L301"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/contact-form-entries/trunk/contact-form-entries.php#L76"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/contact-form-entries/trunk/templates/leads-table.php#L10"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3442962%40contact-form-entries\u0026new=3442962%40contact-form-entries\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "source": "security@wordfence.com",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4048ae11-fece-42aa-baf3-c636c4875635?source=cve"
    }
  ],
  "sourceIdentifier": "security@wordfence.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "security@wordfence.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.