Description
Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Retrieve Embedded Sensitive Data.This issue affects Contact Form by WPForms: from n/a through <= 1.9.8.7.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability occurs when the WordPress Contact Form by WPForms plugin incorrectly inserts sensitive information into data that is sent through the form. This flaw allows an attacker to retrieve embedded sensitive data, exposing confidential information such as personal or financial details. It is a classic information‑exposure weakness as identified by CWE‑201, resulting in loss of data confidentiality and potential breach of privacy.

Affected Systems

The affected product is Contact Form by WPForms provided by Syed Balkhi. All versions from the first release up through 1.9.8.7 are impacted. The plugin is commonly deployed on WordPress sites and is used to accept user submissions through contact forms.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests that exploitation is unlikely but still possible. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be through the web form interface; an attacker could craft or submit requests that trigger the plugin to expose sensitive data. Once successful, the attacker can read data that should remain confidential, increasing the risk for affected sites.

Generated by OpenCVE AI on March 26, 2026 at 18:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Contact Form by WPForms to a version newer than 1.9.8.7 when it becomes available.

Generated by OpenCVE AI on March 26, 2026 at 18:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Syed Balkhi
Syed Balkhi contact Form By Wpforms
Wordpress
Wordpress wordpress
Vendors & Products Syed Balkhi
Syed Balkhi contact Form By Wpforms
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Retrieve Embedded Sensitive Data.This issue affects Contact Form by WPForms: from n/a through <= 1.9.8.7.
Title WordPress Contact Form by WPForms plugin <= 1.9.8.7 - Sensitive Data Exposure vulnerability
Weaknesses CWE-201
References

Subscriptions

Syed Balkhi Contact Form By Wpforms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:08.847Z

Reserved: 2026-02-02T12:52:37.307Z

Link: CVE-2026-25339

cve-icon Vulnrichment

Updated: 2026-03-26T17:10:58.524Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:44.520

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-25339

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:01Z

Weaknesses