CVE-2026-0825
Unknown Unknown - Not Provided
Authorization Bypass in Contact Form 7 Database CSV Export

Publication date: 2026-01-28

Last updated on: 2026-01-28

Assigner: Wordfence

Description
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the CSV export functionality in all versions up to, and including, 1.4.5. This makes it possible for unauthenticated attackers to download sensitive form submission data containing personally identifiable information (PII) by accessing the CSV export endpoint with an export key that is exposed in publicly accessible page source code. The vulnerability is created because while the shortcode properly filters displayed entries by user, the CSV export handler completely bypasses this filtering and exports all entries regardless of user permissions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-28
Last Modified
2026-01-28
Generated
2026-06-16
AI Q&A
2026-01-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-0825
EUVD
EUVD-2026-4904
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
wpforms wpforms to 1.4.5 (inc)
elementor elementor_forms_plugin to 1.4.5 (inc)
contact_form_7 contact_form_7 to 1.4.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the Database for Contact Form 7, WPforms, and Elementor forms plugins for WordPress. It is an authorization bypass caused by missing capability checks on the CSV export functionality in all versions up to and including 1.4.5. Unauthenticated attackers can exploit this by accessing the CSV export endpoint with an export key found in publicly accessible page source code, allowing them to download sensitive form submission data containing personally identifiable information (PII). The issue arises because while the shortcode filters displayed entries by user, the CSV export handler bypasses this filtering and exports all entries regardless of user permissions.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive form submission data, including personally identifiable information (PII). An attacker without authentication can download all form entries, potentially exposing private user data and causing privacy breaches.

Mitigation Strategies

To mitigate this vulnerability, immediately update the Database for Contact Form 7, WPforms, and Elementor forms plugin for WordPress to a version later than 1.4.5 where the authorization bypass issue is fixed. Additionally, restrict access to the CSV export endpoint and ensure that export keys are not exposed in publicly accessible page source code. Review user permissions and capability checks related to CSV export functionality to prevent unauthorized data access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0825. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart