The WordPress Contact Form Email plugin contains an information disclosure vulnerability where the use of a user‑controlled key bypasses authorization. This IDOR flaw allows an unauthenticated or low‑privileged user to retrieve or manipulate data associated with other forms. The weakness is mapped to CWE‑639 and could expose personal information submitted through the plugin or alter form configurations. It does not lead to remote code execution but enables unauthorized access to configured form data.

Affected installations include any WordPress site running codepeople’s Contact Form Email plugin version 1.3.60 or earlier. The vulnerability exists in all releases from the first public version through 1.3.60. The CVE specifically references the plugin as a whole, so any deployment of that product in the identified range is impacted.

Security analysts rate the flaw as CVSS 6.5, indicating moderate severity. The EPSS score of less than 1 % suggests that known exploits are rare and the attack surface is limited. The bug is not listed in CISA’s KEV catalog, so it is not known to have widespread exploitation. Attackers could trigger the IDOR by crafting requests that include a valid key parameter to an endpoint used by the plugin, potentially on a publicly accessible site. Given the moderate impact and low exploitation probability, the risk is moderate but still requires mitigation to prevent accidental data exposure.