CVE-2026-40764
Received Received - Intake
Cross-Site Request Forgery in WPForms Contact Form Plugin

Publication date: 2026-04-15

Last updated on: 2026-04-29

Assigner: Patchstack

Description
Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Cross Site Request Forgery.This issue affects Contact Form by WPForms: from n/a through <= 1.10.0.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40764
EUVD
EUVD-2026-22903
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
syed_balkhi contact_form_by_wpforms to 1.10.0.2 (inc)
wpforms wpforms_lite to 1.10.0.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how the Cross-Site Request Forgery (CSRF) vulnerability in the WPForms plugin affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-40764 is a Cross Site Request Forgery (CSRF) vulnerability in the WordPress Contact Form by WPForms Plugin versions up to and including 1.10.0.2.

This vulnerability allows attackers to trick higher privileged users into executing unwanted actions while authenticated by making them click malicious links, visit crafted pages, or submit forms.

Although the attacker does not need to be authenticated, successful exploitation requires user interaction from a privileged user.

It is classified under OWASP Top 10 category A1: Broken Access Control and has a CVSS severity score of 8.1, indicating a significant risk.

Impact Analysis

This vulnerability can lead to unauthorized actions being performed on your WordPress site by attackers exploiting privileged users.

Attackers can cause privileged users to unknowingly execute unwanted commands, potentially compromising site integrity or functionality.

Despite the high CVSS score, the impact is considered minimal and exploitation is unlikely, but it still poses a significant risk especially in mass campaigns targeting many websites.

To mitigate this risk, it is strongly advised to update the plugin to version 1.10.0.3 or later.

Mitigation Strategies

To mitigate the Cross Site Request Forgery (CSRF) vulnerability in the Contact Form by WPForms plugin, users are strongly advised to update the plugin to version 1.10.0.3 or later, where the issue has been patched.

Additionally, Patchstack offers auto-update features for vulnerable plugins to facilitate rapid protection, which can be used to ensure the plugin remains up to date.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40764. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart