CVE-2025-13973 - Vulnerability Details

- StickEasy Protected Contact Form <= 1.0.1 - Unauthenticated Information Disclosure

Description

The StickEasy Protected Contact Form plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.0.2. The plugin stores spam detection logs at a predictable publicly accessible location (wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt). This makes it possible for unauthenticated attackers to download the log file and access sensitive information including visitor IP addresses, email addresses, and comment snippets from contact form submissions that were flagged as spam.

Published: 2026-02-14

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The plugin writes spam detection logs to a predictable location under wp‑content/uploads, making the file publicly readable. An unauthenticated attacker can retrieve the spcf‑log.txt file and obtain visitor IP addresses, email addresses, and comment snippets that were classified as spam, thereby violating confidentiality. This falls under CWE‑200, Sensitive Data Exposure.

Affected Systems

The vulnerability affects the StickEasy Protected Contact Form plugin for WordPress developed by Kasuga16. All released versions up to and including 1.0.2, which store logs in the public uploads folder, are impacted.

Risk and Exploitability

The CVSS score of 5.3 classifies the issue as moderate severity, while the EPSS score of <1% indicates a very low probability of exploitation at the time of analysis. The inconsistency between the EPSS metric and the CVSS score is a reminder that the vulnerability is straightforward to exploit: an attacker merely needs to request the public log file through the web server without authentication. The vulnerability is not listed in the CISA KEV catalog, so it is not a known exploited vulnerability as of now. Nonetheless, because the exposure is purely informational, organizations should consider patching promptly, especially if sensitive data is handled via the contact form.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

kasuga16

StickEasy Protected Contact Form

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.0.1

No data.

Vendor Product Confidence Versions

Kasuga16

Stickeasy Protected Contact Form

—

Version	Status	Scheme	Platform
`[0,1.0.1]`	affected	semver	—

Wordpress

—

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade StickEasy Protected Contact Form to a version that removes the public log file vulnerability (e.g., 1.0.3 or newer).
If an immediate upgrade is impossible, delete or relocate the spcf‑log.txt file to a non‑public directory and adjust file permissions to deny public read access. The log directory should reside outside wp‑content/uploads so it is not directly accessible over HTTP.
Disable or remove spam detection logging within the plugin configuration if the option exists, or modify the plugin code to write logs to a secure, non‑exposed location.

Generated by OpenCVE AI on April 21, 2026 at 16:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00061.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/stickeasy-protected-contact-form/tags/1.0.0/stickeasy-protected-contact-form.php#L157
https://plugins.trac.wordpress.org/browser/stickeasy-protected-contact-form/trunk/stickeasy-protected-contact-form.php#L157
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3425729%40stickeasy-protected-contact-form&new=3425729%40stickeasy-protected-contact-form
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3426722%40stickeasy-protected-contact-form&new=3426722%40stickeasy-protected-contact-form
https://www.wordfence.com/threat-intel/vulnerabilities/id/86edc116-054f-4962-a57c-0ce7e1b8ff8c?source=cve

History

Tue, 17 Feb 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 16 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kasuga16 Kasuga16 stickeasy Protected Contact Form Wordpress Wordpress wordpress
Vendors & Products		Kasuga16 Kasuga16 stickeasy Protected Contact Form Wordpress Wordpress wordpress

Sat, 14 Feb 2026 04:00:00 +0000

Type	Values Removed	Values Added
Description		The StickEasy Protected Contact Form plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.0.2. The plugin stores spam detection logs at a predictable publicly accessible location (wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt). This makes it possible for unauthenticated attackers to download the log file and access sensitive information including visitor IP addresses, email addresses, and comment snippets from contact form submissions that were flagged as spam.
Title		StickEasy Protected Contact Form <= 1.0.1 - Unauthenticated Information Disclosure
Weaknesses		CWE-200
References		https://plugins.trac.wordpress.org/browser/stickeasy-protected-contact-form/tags/1.0.0/stickeasy-protected-contact-form.php#L157 https://plugins.trac.wordpress.org/browser/stickeasy-protected-contact-form/trunk/stickeasy-protected-contact-form.php#L157 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3425729%40stickeasy-protected-contact-form&new=3425729%40stickeasy-protected-contact-form https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3426722%40stickeasy-protected-contact-form&new=3426722%40stickeasy-protected-contact-form https://www.wordfence.com/threat-intel/vulnerabilities/id/86edc116-054f-4962-a57c-0ce7e1b8ff8c?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Kasuga16 Stickeasy Protected Contact Form

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-02-14T03:25:27.497Z

Updated: 2026-04-08T17:04:56.587Z

Reserved: 2025-12-03T16:01:21.540Z

Link: CVE-2025-13973

Vulnrichment

Updated: 2026-02-17T15:05:58.234Z

NVD

Status : Deferred

Published: 2026-02-14T04:15:56.313

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13973

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T16:15:40Z

Weaknesses

CWE-200

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object