CVE-2026-40764
Cross-Site Request Forgery in WPForms Contact Form Plugin
Publication date: 2026-04-15
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| syed_balkhi | contact_form_by_wpforms | to 1.10.0.2 (inc) |
| wpforms | wpforms_lite | to 1.10.0.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40764 is a Cross Site Request Forgery (CSRF) vulnerability in the WordPress Contact Form by WPForms Plugin versions up to and including 1.10.0.2.
This vulnerability allows attackers to trick higher privileged users into executing unwanted actions while authenticated by making them click malicious links, visit crafted pages, or submit forms.
Although the attacker does not need to be authenticated, successful exploitation requires user interaction from a privileged user.
It is classified under OWASP Top 10 category A1: Broken Access Control and has a CVSS severity score of 8.1, indicating a significant risk.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized actions being performed on your WordPress site by attackers exploiting privileged users.
Attackers can cause privileged users to unknowingly execute unwanted commands, potentially compromising site integrity or functionality.
Despite the high CVSS score, the impact is considered minimal and exploitation is unlikely, but it still poses a significant risk especially in mass campaigns targeting many websites.
To mitigate this risk, it is strongly advised to update the plugin to version 1.10.0.3 or later.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the Cross Site Request Forgery (CSRF) vulnerability in the Contact Form by WPForms plugin, users are strongly advised to update the plugin to version 1.10.0.3 or later, where the issue has been patched.
Additionally, Patchstack offers auto-update features for vulnerable plugins to facilitate rapid protection, which can be used to ensure the plugin remains up to date.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the Cross-Site Request Forgery (CSRF) vulnerability in the WPForms plugin affects compliance with common standards and regulations such as GDPR or HIPAA.