Impact
The flaw is an unauthenticated broken access control in the Contact Form by WPForms plugin, allowing an attacker to bypass authentication checks and interact with restricted API endpoints. From the description, it is inferred that this could enable the attacker to view or modify form settings, send emails on behalf of the site, or otherwise alter the plugin’s behavior, compromising the confidentiality and integrity of site data.
Affected Systems
Vendors affected are Awesomemotive with the Contact Form by WPForms plugin. Any WordPress instance running version 1.10.0.4 or earlier is vulnerable. No specific enterprise products are listed beyond the plugin itself.
Risk and Exploitability
The CVSS score of 7.5 indicates a high severity vulnerability. The EPSS score of <1% means exploitation is unlikely but not impossible, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is a web-based request to the plugin’s protected REST endpoints, which the attacker can hit without credentials. Because the flaw is unauthenticated, a threat actor could exploit it from any IP address and potentially gain unauthorized control over form functionality.
OpenCVE Enrichment