Description
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the CSV export functionality in all versions up to, and including, 1.4.5. This makes it possible for unauthenticated attackers to download sensitive form submission data containing personally identifiable information (PII) by accessing the CSV export endpoint with an export key that is exposed in publicly accessible page source code. The vulnerability is created because while the shortcode properly filters displayed entries by user, the CSV export handler completely bypasses this filtering and exports all entries regardless of user permissions.
Published: 2026-01-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Data Exfiltration
Action: Patch Now
AI Analysis

Impact

The database plugin allows administrators to export form submissions as CSV files. However, the export handler skips the authorization check performed by the shortcode that normally limits entry visibility, enabling anyone who can access the export endpoint to download all entries. Because the export key is embedded in publicly reachable page source, an attacker with no credentials can trigger the download and obtain personally identifiable information stored in the plugin’s database. This flaw translates directly to an unauthenticated data exfiltration vulnerability.

Affected Systems

WordPress sites using the Database for Contact Form 7, WPforms, Elementor forms plugin from crmperks, specifically any release up through and including version 1.4.5, are impacted. No other product or version data is listed, so all installations of 1.4.5 or earlier are considered vulnerable until a fix is applied.

Risk and Exploitability

CVE‑2026‑0825 receives a CVSS base score of 5.3, indicating moderate severity. The EPSS is reported as less than 1 %, suggesting that at the time of this analysis exploitation was unlikely in the wild, and the vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Nevertheless, the missing authorization bypass is a straightforward attack path that requires only access to the exposed export key, which is discoverable in the public template code. Attackers can initiate the export from any user‑level context without authenticating, potentially exposing all collected PII.

Generated by OpenCVE AI on April 15, 2026 at 19:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to the latest available version (≥ 1.4.6) where the capability check has been re‑implemented.
  • Until an update can be installed, remove or protect the CSV export endpoint by restricting it to administrator users, or configure the server to block the /export endpoint for unauthenticated requests.
  • After applying the patch or restriction, review the source to confirm that the export key is no longer present in publicly accessible templates and validate that the export functionality now requires the appropriate capability before generating the CSV.

Generated by OpenCVE AI on April 15, 2026 at 19:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Crmperks
Crmperks database For Contact Form 7, Wpforms, Elementor Forms
Wordpress
Wordpress wordpress
Vendors & Products Crmperks
Crmperks database For Contact Form 7, Wpforms, Elementor Forms
Wordpress
Wordpress wordpress

Wed, 28 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the CSV export functionality in all versions up to, and including, 1.4.5. This makes it possible for unauthenticated attackers to download sensitive form submission data containing personally identifiable information (PII) by accessing the CSV export endpoint with an export key that is exposed in publicly accessible page source code. The vulnerability is created because while the shortcode properly filters displayed entries by user, the CSV export handler completely bypasses this filtering and exports all entries regardless of user permissions.
Title Database for Contact Form 7, WPforms, Elementor forms <= 1.4.5 - Missing Authorization to Unauthenticated Form Data Exfiltration via CSV Export
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Crmperks Database For Contact Form 7, Wpforms, Elementor Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:22.116Z

Reserved: 2026-01-09T18:47:18.941Z

Link: CVE-2026-0825

cve-icon Vulnrichment

Updated: 2026-01-28T15:02:09.600Z

cve-icon NVD

Status : Deferred

Published: 2026-01-28T07:16:00.133

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0825

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T19:15:12Z

Weaknesses