CVE-2026-0825

Name of the Vulnerable Software and Affected Versions The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress versions up to and including 1.4.5

Description The plugin has an authorization bypass due to missing capability checks on the CSV export functionality. This allows unauthenticated attackers to download sensitive form submission data, including personally identifiable information (PII), by accessing the CSV export endpoint. The export key needed for this access is exposed in the publicly accessible page source code. The CSV export handler bypasses user permission filtering, exporting all entries regardless of user roles.

Recommendations Versions prior to 1.4.5 should be updated.