Description
Missing Authorization vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through <= 1.9.9.3.
Published: 2026-03-13
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Upgrade Plugin
AI Analysis

Impact

This vulnerability is a missing authorization flaw that allows an attacker to tamper with the WordPress Contact Form by WPForms plugin’s settings. The flaw stems from incorrectly configured access control security levels, enabling unauthorized modification or retrieval of form data and configuration. The exploit can lead to data exposure or alteration of contact form behavior, directly compromising the confidentiality and integrity of data handled by the form.

Affected Systems

Affected systems are installations of the Contact Form by WPForms plugin from the vendor Syed Balkhi. All releases from the earliest available version up to and including 1.9.9.3 are impacted. The plugin is distributed as wpforms-lite for WordPress.

Risk and Exploitability

The CVSS score of 4.3 reflects a medium severity level, while the EPSS score of less than 1% indicates a low exploit probability at this time. The vulnerability is not listed in CISA’s KEV catalog. The typical attack vector is inferred to be remote via the WordPress web interface, requiring no special credentials. However, such inference is drawn from the plugin’s web-based nature rather than explicit data in the description. Given the low scores but potential for unauthorized data modification, administrators should consider this a priority for remediation.

Generated by OpenCVE AI on March 19, 2026 at 15:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Contact Form by WPForms plugin to a version newer than 1.9.9.3.
  • Verify that the plugin’s access control settings reflect the intended user permissions after the update.
  • Monitor site logs for any unusual access attempts to the plugin’s configuration pages.

Generated by OpenCVE AI on March 19, 2026 at 15:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Syed Balkhi
Syed Balkhi contact Form By Wpforms
Wordpress
Wordpress wordpress
Vendors & Products Syed Balkhi
Syed Balkhi contact Form By Wpforms
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through <= 1.9.9.3.
Title WordPress Contact Form by WPForms plugin <= 1.9.9.3 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Syed Balkhi Contact Form By Wpforms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:16:18.201Z

Reserved: 2026-03-12T11:11:35.694Z

Link: CVE-2026-32446

cve-icon Vulnrichment

Updated: 2026-03-13T15:32:03.739Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:55:05.290

Modified: 2026-03-16T14:53:46.157

Link: CVE-2026-32446

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:03:19Z

Weaknesses