CVE-2025-13973
Sensitive Information Disclosure in StickEasy Contact Form Plugin
Publication date: 2026-02-14
Last updated on: 2026-02-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| stickeasy | protected_contact_form | to 1.0.2 (inc) |
| stickeasy | protected_contact_form | to 1.0.0 (inc) |
| stickeasy | protected_contact_form | to 1.0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-13973 is a vulnerability in the StickEasy Protected Contact Form plugin for WordPress, affecting all versions up to and including 1.0.2. The issue arises because the plugin stores spam detection logs in a publicly accessible and predictable location, allowing unauthenticated attackers to download these log files.'}, {'type': 'paragraph', 'content': 'These logs contain sensitive information such as visitor IP addresses, email addresses, and snippets of comments from contact form submissions flagged as spam. This exposure leads to sensitive information disclosure.'}, {'type': 'paragraph', 'content': "The vulnerability was addressed in version 1.0.2 by hardening the log directory access with an '.htaccess' file denying web access, placing an empty 'index.html' to prevent directory listing, and randomizing log filenames to prevent attackers from guessing log file paths."}] [1, 5]
How can this vulnerability impact me? :
This vulnerability can impact you by exposing sensitive information collected through the contact form to unauthorized parties. Specifically, attackers can access logs containing visitor IP addresses, email addresses, and comment snippets from submissions flagged as spam.
Such information disclosure can lead to privacy violations, targeted spam, phishing attacks, or other malicious activities leveraging the exposed data.
Because the logs were stored in a predictable and publicly accessible location, attackers did not need authentication to retrieve this sensitive data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability results in unauthorized disclosure of personal data such as IP addresses and email addresses collected via the contact form.
Such exposure can violate data protection regulations like GDPR and HIPAA, which require organizations to protect personal and sensitive information from unauthorized access.
Failure to secure this data could lead to non-compliance, potential legal penalties, and damage to user trust.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking for the presence of publicly accessible spam log files created by the StickEasy Protected Contact Form plugin. Specifically, look for files named like 'spcf-log.txt' or randomized log files in the directory 'wp-content/uploads/stickeasy-protected-contact-form/' or 'wp-content/spcf-logs/'. Unauthorized access to these log files indicates the vulnerability."}, {'type': 'paragraph', 'content': 'You can use network or system commands to detect if these log files are accessible. For example, using curl or wget to attempt to download the log file from the web server:'}, {'type': 'list_item', 'content': 'curl -I https://yourwebsite.com/wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt'}, {'type': 'list_item', 'content': 'curl -I https://yourwebsite.com/wp-content/spcf-logs/spcf-log-*.txt'}, {'type': 'paragraph', 'content': 'If the HTTP response status is 200 OK and the content is accessible without authentication, the vulnerability is present.'}, {'type': 'paragraph', 'content': "Additionally, scanning your web server for publicly accessible files matching the pattern 'spcf-log*.txt' in the uploads or spcf-logs directories can help detect exposed logs."}] [1, 2, 5]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include updating the StickEasy Protected Contact Form plugin to version 1.0.2 or later, which contains security fixes addressing this vulnerability.'}, {'type': 'list_item', 'content': "Move spam log files from publicly accessible directories (such as 'wp-content/uploads/stickeasy-protected-contact-form/') to a non-public directory outside the web root, for example 'wp-content/spcf-logs/'."}, {'type': 'list_item', 'content': "Restrict access to the log directory by adding an '.htaccess' file with the directive 'Deny from all' to prevent direct web access."}, {'type': 'list_item', 'content': "Place an empty 'index.html' file in the log directory to prevent directory listing by web servers."}, {'type': 'list_item', 'content': "Use randomized log filenames generated via WordPress's 'wp_generate_password()' function to prevent attackers from guessing log file names."}, {'type': 'paragraph', 'content': 'These measures collectively reduce the risk of unauthorized access and enumeration of spam log files containing sensitive information.'}] [1, 4, 5]