PT-2026-5066 · Wpforms+2 · Wpforms+2
Teerachai Somprasong
·
Published
2026-01-28
·
Updated
2026-01-28
·
CVE-2026-0825
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress versions up to and including 1.4.5
Description
The plugin has an authorization bypass due to missing capability checks on the CSV export functionality. This allows unauthenticated attackers to download sensitive form submission data, including personally identifiable information (PII), by accessing the CSV export endpoint. The export key needed for this access is exposed in the publicly accessible page source code. The CSV export handler bypasses user permission filtering, exporting all entries regardless of user roles.
Recommendations
Versions prior to 1.4.5 should be updated.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Database For Contact Form 7
Elementor Forms Plugin
Wpforms