CVE-2025-3912

Name of the Vulnerable Software and Affected Versions WS Form LITE – Drag & Drop Contact Form Builder for WordPress versions prior to 1.10.36

Description The issue allows unauthorized access to data due to a missing capability check on the get config function. This makes it possible for unauthenticated attackers to read the value of the plugin's settings, including API keys for integrated services.

Recommendations For WS Form LITE – Drag & Drop Contact Form Builder for WordPress versions prior to 1.10.36, update to version 1.10.36 or later to resolve the issue. As a temporary workaround, consider restricting access to the get config function until a patch is available.