CVE-2026-0825 in Database for Contact Form 7, WPforms, Elementor Forms Plugininfo

Zusammenfassung

von MITRE • 28.01.2026

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the CSV export functionality in all versions up to, and including, 1.4.5. This makes it possible for unauthenticated attackers to download sensitive form submission data containing personally identifiable information (PII) by accessing the CSV export endpoint with an export key that is exposed in publicly accessible page source code. The vulnerability is created because while the shortcode properly filters displayed entries by user, the CSV export handler completely bypasses this filtering and exports all entries regardless of user permissions.

Be aware that VulDB is the high quality source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Veröffentlichung

28.01.2026

Moderieren

akzeptiert

Eintrag

VDB-343106

CPE

bereit

CWE

CWE-862 (bestätigt)

CVSS

5.3 (CNA)

EPSS

0.00019

KEV

nein

Aktivitäten

very low

Sektor

Hostingprovider

Quellen

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-0825
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-0825
CVE Details	https://www.cvedetails.com/cve/CVE-2026-0825/

◂ Zurück Übersicht Weiter ▸

Might our Artificial Intelligence support you?

Check our Alexa App!