CVE-2025-13973
Unknown Unknown - Not Provided
Sensitive Information Disclosure in StickEasy Contact Form Plugin

Publication date: 2026-02-14

Last updated on: 2026-02-14

Assigner: Wordfence

Description
The StickEasy Protected Contact Form plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.0.2. The plugin stores spam detection logs at a predictable publicly accessible location (wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt). This makes it possible for unauthenticated attackers to download the log file and access sensitive information including visitor IP addresses, email addresses, and comment snippets from contact form submissions that were flagged as spam.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-14
Last Modified
2026-02-14
Generated
2026-06-16
AI Q&A
2026-02-14
EPSS Evaluated
2026-06-14
NVD
CVE-2025-13973
EUVD
EUVD-2025-206976
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
stickeasy protected_contact_form to 1.0.2 (inc)
stickeasy protected_contact_form to 1.0.0 (inc)
stickeasy protected_contact_form to 1.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-13973 is a vulnerability in the StickEasy Protected Contact Form plugin for WordPress, affecting all versions up to and including 1.0.2. The issue arises because the plugin stores spam detection logs in a publicly accessible and predictable location, allowing unauthenticated attackers to download these log files.'}, {'type': 'paragraph', 'content': 'These logs contain sensitive information such as visitor IP addresses, email addresses, and snippets of comments from contact form submissions flagged as spam. This exposure leads to sensitive information disclosure.'}, {'type': 'paragraph', 'content': "The vulnerability was addressed in version 1.0.2 by hardening the log directory access with an '.htaccess' file denying web access, placing an empty 'index.html' to prevent directory listing, and randomizing log filenames to prevent attackers from guessing log file paths."}] [1, 5]

Impact Analysis

This vulnerability can impact you by exposing sensitive information collected through the contact form to unauthorized parties. Specifically, attackers can access logs containing visitor IP addresses, email addresses, and comment snippets from submissions flagged as spam.

Such information disclosure can lead to privacy violations, targeted spam, phishing attacks, or other malicious activities leveraging the exposed data.

Because the logs were stored in a predictable and publicly accessible location, attackers did not need authentication to retrieve this sensitive data.

Compliance Impact

The vulnerability results in unauthorized disclosure of personal data such as IP addresses and email addresses collected via the contact form.

Such exposure can violate data protection regulations like GDPR and HIPAA, which require organizations to protect personal and sensitive information from unauthorized access.

Failure to secure this data could lead to non-compliance, potential legal penalties, and damage to user trust.

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking for the presence of publicly accessible spam log files created by the StickEasy Protected Contact Form plugin. Specifically, look for files named like 'spcf-log.txt' or randomized log files in the directory 'wp-content/uploads/stickeasy-protected-contact-form/' or 'wp-content/spcf-logs/'. Unauthorized access to these log files indicates the vulnerability."}, {'type': 'paragraph', 'content': 'You can use network or system commands to detect if these log files are accessible. For example, using curl or wget to attempt to download the log file from the web server:'}, {'type': 'list_item', 'content': 'curl -I https://yourwebsite.com/wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt'}, {'type': 'list_item', 'content': 'curl -I https://yourwebsite.com/wp-content/spcf-logs/spcf-log-*.txt'}, {'type': 'paragraph', 'content': 'If the HTTP response status is 200 OK and the content is accessible without authentication, the vulnerability is present.'}, {'type': 'paragraph', 'content': "Additionally, scanning your web server for publicly accessible files matching the pattern 'spcf-log*.txt' in the uploads or spcf-logs directories can help detect exposed logs."}] [1, 2, 5]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include updating the StickEasy Protected Contact Form plugin to version 1.0.2 or later, which contains security fixes addressing this vulnerability.'}, {'type': 'list_item', 'content': "Move spam log files from publicly accessible directories (such as 'wp-content/uploads/stickeasy-protected-contact-form/') to a non-public directory outside the web root, for example 'wp-content/spcf-logs/'."}, {'type': 'list_item', 'content': "Restrict access to the log directory by adding an '.htaccess' file with the directive 'Deny from all' to prevent direct web access."}, {'type': 'list_item', 'content': "Place an empty 'index.html' file in the log directory to prevent directory listing by web servers."}, {'type': 'list_item', 'content': "Use randomized log filenames generated via WordPress's 'wp_generate_password()' function to prevent attackers from guessing log file names."}, {'type': 'paragraph', 'content': 'These measures collectively reduce the risk of unauthorized access and enumeration of spam log files containing sensitive information.'}] [1, 4, 5]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13973. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart