Description
Unauthenticated Broken Access Control in Contact Form by WPForms <= 1.10.0.4 versions.
Published: 2026-06-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an unauthenticated broken access control in the Contact Form by WPForms plugin, allowing an attacker to bypass authentication checks and interact with restricted API endpoints. From the description, it is inferred that this could enable the attacker to view or modify form settings, send emails on behalf of the site, or otherwise alter the plugin’s behavior, compromising the confidentiality and integrity of site data.

Affected Systems

Vendors affected are Awesomemotive with the Contact Form by WPForms plugin. Any WordPress instance running version 1.10.0.4 or earlier is vulnerable. No specific enterprise products are listed beyond the plugin itself.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity vulnerability. The EPSS score of <1% means exploitation is unlikely but not impossible, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is a web-based request to the plugin’s protected REST endpoints, which the attacker can hit without credentials. Because the flaw is unauthenticated, a threat actor could exploit it from any IP address and potentially gain unauthorized control over form functionality.

Generated by OpenCVE AI on June 18, 2026 at 00:40 UTC.

Remediation

Vendor Solution

Update the WordPress Contact Form by WPForms Plugin to the latest available version (at least 1.10.0.5).


OpenCVE Recommended Actions

  • Update the WordPress Contact Form by WPForms Plugin to version 1.10.0.5 or later.
  • If an immediate update is not possible, disable the plugin or restrict access to its admin interface using role‑based permissions or a firewall rule.
  • After applying the fix, monitor site logs for unusual activity and verify that the plugin’s API endpoints no longer accept unauthenticated requests.

Generated by OpenCVE AI on June 18, 2026 at 00:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Awesomemotive
Awesomemotive contact Form By Wpforms
Wordpress
Wordpress wordpress
Vendors & Products Awesomemotive
Awesomemotive contact Form By Wpforms
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Broken Access Control in Contact Form by WPForms <= 1.10.0.4 versions.
Title WordPress Contact Form by WPForms plugin <= 1.10.0.4 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}


Subscriptions

Awesomemotive Contact Form By Wpforms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T14:59:51.463Z

Reserved: 2026-05-25T14:28:27.466Z

Link: CVE-2026-48835

cve-icon Vulnrichment

Updated: 2026-06-16T14:59:42.760Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:15.857

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-48835

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:06:59Z

Weaknesses