CVE-2026-0825 in Database for Contact Form 7, WPforms, Elementor Forms Pluginالمعلومات

الملخص

بحسب MITRE • 28/01/2026

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the CSV export functionality in all versions up to, and including, 1.4.5. This makes it possible for unauthenticated attackers to download sensitive form submission data containing personally identifiable information (PII) by accessing the CSV export endpoint with an export key that is exposed in publicly accessible page source code. The vulnerability is created because while the shortcode properly filters displayed entries by user, the CSV export handler completely bypasses this filtering and exports all entries regardless of user permissions.

Be aware that VulDB is the high quality source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

إفشاء

28/01/2026

الاعتدال

تمت الموافقة

إدخال

VDB-343106

CPE

جاهز

CWE

CWE-862 (مؤكد)

CVSS

5.3 (CNA)

EPSS

0.00019

KEV

لا

النشاطات

منخفض جدًا

القطاع

Hostingprovider

المصادر

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-0825
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-0825
CVE Details	https://www.cvedetails.com/cve/CVE-2026-0825/

التالي ▸نظرة عامة ◂ السابق

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!