Executive Summary

CVE-2026-3831 is a vulnerability in the Database for Contact Form 7, WPforms, and Elementor forms plugin for WordPress. The issue arises because the entries_shortcode() function lacks a proper capability check in all versions up to and including 1.4.9. This flaw allows authenticated users with Contributor-level access or higher to access and extract all form submissions stored by the plugin.

These form submissions can include sensitive data such as names, email addresses, and phone numbers. The vulnerability exists due to missing authorization checks that should restrict access to this data only to users with appropriate permissions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive personal information collected through various WordPress form plugins integrated with the Contact Form Entries plugin.

• Authenticated users with Contributor-level access or higher can extract all form submissions, including names, emails, and phone numbers.
• This exposure can result in privacy breaches, potential identity theft, phishing attacks, or other malicious activities leveraging the leaked data.
• Organizations using the affected plugin versions may face reputational damage and loss of user trust due to data leakage.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized access to form submission data via the entries_shortcode() function in the Contact Form Entries plugin for WordPress. Detection involves checking if the vulnerable plugin version (up to and including 1.4.9) is installed and if Contributor-level or higher users can access form entries without proper capability checks.

To detect the vulnerability on your system, you can:

• Verify the installed version of the Contact Form Entries plugin. For example, use WP-CLI to list plugin versions: `wp plugin list | grep contact-form-entries`
• Check if users with Contributor-level access or above can access form entries via the shortcode `[vx-entries]` or by accessing URLs that trigger CSV exports (e.g., URLs containing `vx_crm_form_action=download_csv`).
• Review web server logs for suspicious access patterns to the shortcode or CSV export URLs by authenticated users with Contributor or higher roles.

No specific commands are provided in the resources, but the above steps using WP-CLI and log inspection are practical approaches.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Upgrade the Contact Form Entries plugin to a version later than 1.4.9 where the missing capability check on the entries_shortcode() function is fixed.
• Restrict Contributor-level and above user roles from accessing form entries or exporting data until the plugin is updated.
• Review and tighten user role capabilities related to form entry access and data export.
• Monitor access logs for unusual activity related to form entries or CSV export URLs.

These steps help prevent unauthorized data extraction by authenticated users exploiting the missing capability check.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows authenticated attackers with Contributor-level access and above to extract all form submissions, including sensitive personal data such as names, emails, and phone numbers, due to a missing capability check.

Unauthorized access to personal data can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on access to personally identifiable information (PII) and sensitive health information.

Because the vulnerability enables data extraction without proper authorization, organizations using the affected plugin versions may face compliance risks related to data confidentiality and privacy obligations under these standards.

Useful 0 Not Useful 0