Description
Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Cross Site Request Forgery.This issue affects Contact Form by WPForms: from n/a through <= 1.10.0.2.
Published: 2026-04-15
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Untrusted form submissions via CSRF
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery flaw that permits an attacker to compel an authenticated user of a WordPress site to send arbitrary form submissions or alter form settings. By exploiting the missing CSRF token validation, an attacker can trigger unintended actions that compromise the integrity and confidentiality of user data or website configuration. The weakness corresponds to CWE‑352, which concerns lacking protection against cross‑site request forgery.

Affected Systems

The issue affects installations of the WordPress plugin Contact Form by WPForms from Syed Balkhi, including any version through 1.10.0.2. Any WordPress site that has this plugin installed and runs a vulnerable version is susceptible. No specific operating‑system or PHP version constraints are listed.

Risk and Exploitability

The CVSS score is 8.1, and the EPSS score is less than 1%. This vulnerability is not listed in the KEV catalog. Exploitation requires an attacker to lure an authenticated user to a crafted URL or form, making the attack vector HTTP. Because no active exploitation code is reported and the defect plays on authenticated sessions, the risk is moderate, but sites with high‑value content or exposed configuration panels should prioritize remediation.

Generated by OpenCVE AI on April 15, 2026 at 19:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Contact Form by WPForms plugin to a release newer than 1.10.0.2 to apply the vendor patch that restores CSRF protection.
  • Enable or confirm the plugin’s internal CSRF protection controls—ensure that form submissions require a valid nonce or token before processing.
  • For critical or high‑value sites, temporarily disable the plugin or restrict administrator access to form configuration until the patched version is installed.

Generated by OpenCVE AI on April 15, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Syed Balkhi
Syed Balkhi contact Form By Wpforms
Wordpress
Wordpress wordpress
Vendors & Products Syed Balkhi
Syed Balkhi contact Form By Wpforms
Wordpress
Wordpress wordpress

Wed, 15 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Cross Site Request Forgery.This issue affects Contact Form by WPForms: from n/a through <= 1.10.0.2.
Title WordPress Contact Form by WPForms plugin <= 1.10.0.2 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Syed Balkhi Contact Form By Wpforms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-15T15:19:00.260Z

Reserved: 2026-04-15T09:20:32.456Z

Link: CVE-2026-40764

cve-icon Vulnrichment

Updated: 2026-04-15T15:18:30.743Z

cve-icon NVD

Status : Received

Published: 2026-04-15T11:16:36.773

Modified: 2026-04-15T16:16:38.653

Link: CVE-2026-40764

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T19:30:12Z

Weaknesses