{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32527", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:19.949Z", "datePublished": "2026-03-25T16:15:08.775Z", "dateUpdated": "2026-03-26T16:26:39.025Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "cf7-insightly", "product": "WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms", "vendor": "CRM Perks", "versions": [{"changes": [{"at": "1.1.6", "status": "unaffected"}], "lessThanOrEqual": "<= 1.1.5", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:38.719Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in CRM Perks WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms cf7-insightly allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms: from n/a through <= 1.1.5.</p>"}], "value": "Missing Authorization vulnerability in CRM Perks WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms cf7-insightly allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms: from n/a through <= 1.1.5."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:08.775Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/cf7-insightly/vulnerability/wordpress-wp-insightly-for-contact-form-7-wpforms-elementor-formidable-and-ninja-forms-plugin-1-1-5-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin <= 1.1.5 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T16:26:22.801935Z", "id": "CVE-2026-32527", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:26:39.025Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32527", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:26:22.801935Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:26:35.671Z"}}], "cna": {"title": "WordPress WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin <= 1.1.5 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "CRM Perks", "product": "WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms", "versions": [{"status": "affected", "changes": [{"at": "1.1.6", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 1.1.5"}], "packageName": "cf7-insightly", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:38.719Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/cf7-insightly/vulnerability/wordpress-wp-insightly-for-contact-form-7-wpforms-elementor-formidable-and-ninja-forms-plugin-1-1-5-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in CRM Perks WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms cf7-insightly allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms: from n/a through <= 1.1.5.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in CRM Perks WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms cf7-insightly allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms: from n/a through <= 1.1.5.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:08.775Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32527", "state": "PUBLISHED", "dateUpdated": "2026-03-26T16:26:39.025Z", "dateReserved": "2026-03-12T11:12:19.949Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:15:08.775Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in CRM Perks WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms cf7-insightly allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms: from n/a through <= 1.1.5."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en CRM Perks WP Insightly para Contact Form 7, WPForms, Elementor, Formidable y Ninja Forms cf7-insightly permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a WP Insightly para Contact Form 7, WPForms, Elementor, Formidable y Ninja Forms: desde n/a hasta &lt;= 1.1.5."}], "id": "CVE-2026-32527", "lastModified": "2026-03-26T17:16:37.433", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:17:05.897", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/cf7-insightly/vulnerability/wordpress-wp-insightly-for-contact-form-7-wpforms-elementor-formidable-and-ninja-forms-plugin-1-1-5-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.5]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[1.1.6,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "product": "wp_insightly_for_contact_form_7,_wpforms,_elementor,_formidable_and_ninja_forms", "vendor": "crmperks"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T20:35:53.086517+00:00", "value": {"mitigation_remediation": ["Update WP Insightly to a version newer than 1.1.5 from the vendor\u2019s official source", "If a patch is unavailable, restrict access to the plugin\u2019s endpoints with a web application firewall or limit the WordPress roles that can trigger the plugin", "Disable or uninstall the plugin if it is not required for site functionality", "Monitor server logs and plugin activity for suspicious requests and keep other security controls up to date"], "summary": {"action": "Apply Patch", "impact": "Unauthorized data access"}, "threat_synthesis": {"affected_systems": "All releases of the WP Insightly plugin family for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms, up to version 1.1.5, are affected. Sites that have installed any of these plugin versions are vulnerable regardless of the underlying WordPress core version.", "description_and_impact": "The WP Insightly plugin suite, distributed by CRM Perks, integrates with popular WordPress form plugins and manages CRM data. The vulnerability is a missing authorization check that permits any user to reach plugin endpoints, enabling unauthorized reads or writes of CRM records. This broken access control is a classic example of CWE\u2011862, where access controls are improperly enforced.", "risk_and_exploitability": "The CVSS score and EPSS probability are not disclosed, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is through the web interface, where an actor can send crafted HTTP requests to the plugin\u2019s exposed endpoints. While no public exploits are documented, the potential for unauthorized access to sensitive CRM data makes this issue a significant risk, especially on sites that rely on the plugin for customer interactions."}}}}, "created": "2026-03-25T21:47:13.994413+00:00", "updated": "2026-03-26T11:35:04.859603+00:00", "vendors": ["crmperks", "crmperks$PRODUCT$wp_insightly_for_contact_form_7,_wpforms,_elementor,_formidable_and_ninja_forms", "wordpress", "wordpress$PRODUCT$wordpress"]}