CVE-2026-0825
Unknown Unknown - Not Provided

Authorization Bypass in Contact Form 7 Database CSV Export

Vulnerability report for CVE-2026-0825, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-28

Last updated on: 2026-01-28

Assigner: Wordfence

Description

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the CSV export functionality in all versions up to, and including, 1.4.5. This makes it possible for unauthenticated attackers to download sensitive form submission data containing personally identifiable information (PII) by accessing the CSV export endpoint with an export key that is exposed in publicly accessible page source code. The vulnerability is created because while the shortcode properly filters displayed entries by user, the CSV export handler completely bypasses this filtering and exports all entries regardless of user permissions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-28
Last Modified
2026-01-28
Generated
2026-07-06
AI Q&A
2026-01-29
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
wpforms wpforms to 1.4.5 (inc)
elementor elementor_forms_plugin to 1.4.5 (inc)
contact_form_7 contact_form_7 to 1.4.5 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the Database for Contact Form 7, WPforms, and Elementor forms plugins for WordPress. It is an authorization bypass caused by missing capability checks on the CSV export functionality in all versions up to and including 1.4.5. Unauthenticated attackers can exploit this by accessing the CSV export endpoint with an export key found in publicly accessible page source code, allowing them to download sensitive form submission data containing personally identifiable information (PII). The issue arises because while the shortcode filters displayed entries by user, the CSV export handler bypasses this filtering and exports all entries regardless of user permissions.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive form submission data, including personally identifiable information (PII). An attacker without authentication can download all form entries, potentially exposing private user data and causing privacy breaches.

Mitigation Strategies

To mitigate this vulnerability, immediately update the Database for Contact Form 7, WPforms, and Elementor forms plugin for WordPress to a version later than 1.4.5 where the authorization bypass issue is fixed. Additionally, restrict access to the CSV export endpoint and ensure that export keys are not exposed in publicly accessible page source code. Review user permissions and capability checks related to CSV export functionality to prevent unauthorized data access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0825. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart