Description
The WS Form LITE – Drag & Drop Contact Form Builder for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_config' function in all versions up to, and including, 1.10.35. This makes it possible for unauthenticated attackers to read the value of the plugin's settings, including API keys for integrated services.
Published: 2025-04-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Sensitive Information Exposure
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is caused by a missing capability check in the get_config function of the WS Form LITE plugin for WordPress. Because the check is omitted, any user can request the function and read the plugin’s configuration, including API keys for integrated services. This flaw leads to a confidentiality breach where attackers can obtain sensitive credentials that may enable impersonation of services or further exploitation.

Affected Systems

The affected product is the WS Form LITE – Drag & Drop Contact Form Builder for WordPress provided by Westguard. All releases up to and including version 1.10.35 contain this issue; no later releases are listed as affected. If your site uses any of these versions, it is vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS is less than 1%, suggesting a low probability of exploitation, and the vulnerability is not included in the CISA KEV catalog. An attacker can exploit the flaw by invoking the get_config function without authentication. The likely attack vector is an unauthenticated HTTP request to the get_config endpoint, based on the description that the check is missing.

Generated by OpenCVE AI on April 22, 2026 at 01:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WS Form LITE to the latest available version (1.10.36 or later) to remove the missing capability check.
  • If an update cannot be applied immediately, delete or invalidate any API keys that are stored in the plugin settings to limit exposure of sensitive credentials.
  • Restrict or block unauthenticated requests to the 'get_config' endpoint using a web‑application firewall, a security plugin rule, or a host‑level firewall rule to enforce authentication before configuration data can be read.

Generated by OpenCVE AI on April 22, 2026 at 01:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12546 The WS Form LITE – Drag & Drop Contact Form Builder for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_config' function in all versions up to, and including, 1.10.35. This makes it possible for unauthenticated attackers to read the value of the plugin's settings, including API keys for integrated services.
History

Fri, 25 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 25 Apr 2025 11:30:00 +0000

Type Values Removed Values Added
Description The WS Form LITE – Drag & Drop Contact Form Builder for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_config' function in all versions up to, and including, 1.10.35. This makes it possible for unauthenticated attackers to read the value of the plugin's settings, including API keys for integrated services.
Title WS Form LITE – Drag & Drop Contact Form Builder for WordPress <= 1.10.35 - Missing Authorization to Unauthenticated Sensitive Information Exposure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:11.378Z

Reserved: 2025-04-23T22:10:17.114Z

Link: CVE-2025-3912

cve-icon Vulnrichment

Updated: 2025-04-25T13:53:38.506Z

cve-icon NVD

Status : Deferred

Published: 2025-04-25T12:15:17.243

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3912

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:45:05Z

Weaknesses