Description
Missing Authorization vulnerability in Rohil Contact Form – 7 : Hide Success Message contact-form-7-hide-success-message allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Contact Form – 7 : Hide Success Message: from n/a through <= 1.1.4.
Published: 2025-06-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization check in the Rohil Contact Form – 7 : Hide Success Message WordPress plugin allows an attacker to access functions that should be protected. The vulnerability is a classic broken access control flaw (CWE‑862). Through this loophole, an unauthorized user could invoke privileged operations, potentially exposing or manipulating plugin data and affecting the confidentiality, integrity, and availability of the site’s form handling capabilities.

Affected Systems

The vulnerability impacts the Contact Form – 7 : Hide Success Message plugin from its initial release through version 1.1.4. Any WordPress installation using one of these versions is at risk, regardless of the host operating system or WordPress core version.

Risk and Exploitability

The patch has a CVSS score of 5.3, indicating moderate severity, and an EPSS score of less than 1%, suggesting very low current exploitation likelihood. It is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack surface is likely local or authenticated, requiring the attacker to reach a form of privileged access or to trick a legitimate user into granting the necessary permissions. Because the flaw is a simple missing ACL, once the correct capability is granted it can be abused without further exploitation steps.

Generated by OpenCVE AI on April 30, 2026 at 17:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Contact Form – 7 : Hide Success Message plugin to any version newer than 1.1.4 if available.
  • If a newer version is not available, disable the plugin entirely until a patch is released to prevent exploitation.
  • Restrict plugin administrative capabilities to administrator roles only; review and tighten user role permissions so that only authorized users can access the plugin’s settings and functions.

Generated by OpenCVE AI on April 30, 2026 at 17:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19367 Missing Authorization vulnerability in Rohil Contact Form &#8211; 7 : Hide Success Message allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Contact Form &#8211; 7 : Hide Success Message: from n/a through 1.1.4.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Rohil Contact Form &#8211; 7 : Hide Success Message contact-form-7-hide-success-message allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Contact Form &#8211; 7 : Hide Success Message: from n/a through <= 1.1.4. Missing Authorization vulnerability in Rohil Contact Form – 7 : Hide Success Message contact-form-7-hide-success-message allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Contact Form – 7 : Hide Success Message: from n/a through <= 1.1.4.

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Rohil Contact Form &#8211; 7 : Hide Success Message allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Contact Form &#8211; 7 : Hide Success Message: from n/a through 1.1.4. Missing Authorization vulnerability in Rohil Contact Form &#8211; 7 : Hide Success Message contact-form-7-hide-success-message allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Contact Form &#8211; 7 : Hide Success Message: from n/a through <= 1.1.4.
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Fri, 27 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 13:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Rohil Contact Form &#8211; 7 : Hide Success Message allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Contact Form &#8211; 7 : Hide Success Message: from n/a through 1.1.4.
Title WordPress Contact Form – 7 : Hide Success Message plugin <= 1.1.4 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:23.263Z

Reserved: 2025-06-27T11:59:06.866Z

Link: CVE-2025-53304

cve-icon Vulnrichment

Updated: 2025-06-27T13:46:26.381Z

cve-icon NVD

Status : Deferred

Published: 2025-06-27T14:15:52.253

Modified: 2026-04-28T19:33:36.697

Link: CVE-2025-53304

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T17:15:42Z

Weaknesses