Description
Missing Authorization vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.63.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to plugin configuration
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in Contact Form Email is a missing authorization check that permits unauthorized users to access or manipulate the plugin’s configuration through exposed endpoints. This allows an attacker to modify email routing, sender details, or potentially inject arbitrary email content, leading to phishing or data disclosure. The weakness is categorized as CWE-862: Missing Authorization.

Affected Systems

WordPress plugin Contact Form Email by codepeople, versions 1.3.63 or earlier, running on any WordPress site.

Risk and Exploitability

The flaw has a CVSS score of 6.5, indicating moderate severity, and an EPSS score of less than 1%, meaning it is unlikely to be heavily exploited. It is not listed in CISA’s KEV catalog. The vulnerability can be exploited by sending crafted HTTP requests to the plugin’s configuration endpoint, which is currently accessible without proper role validation. Because it is exposed via a web interface, an attacker with network access to the site can gain unauthorized configuration power, potentially enabling phishing or other malicious email usage.

Generated by OpenCVE AI on March 26, 2026 at 18:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the plugin version and upgrade to the latest release (>1.3.63).
  • If an update is unavailable, disable the plugin or block its configuration URLs using a firewall or .htaccess rules.
  • Ensure that only trusted administrators have access to the WordPress admin area.
  • Reset any modified email settings to secure defaults after patching.
  • Monitor outgoing email traffic for suspicious activity.

Generated by OpenCVE AI on March 26, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Codepeople
Codepeople contact Form Email
Wordpress
Wordpress wordpress
Vendors & Products Codepeople
Codepeople contact Form Email
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.63.
Title WordPress Contact Form Email plugin <= 1.3.63 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Codepeople Contact Form Email
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T16:50:45.784Z

Reserved: 2026-03-12T11:11:55.347Z

Link: CVE-2026-32483

cve-icon Vulnrichment

Updated: 2026-03-26T16:31:43.612Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:59.323

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-32483

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:12Z

Weaknesses