CVE-2026-9145
Received Received - Intake

Arbitrary File Copy in Contact Form Entries WordPress Plugin

Vulnerability report for CVE-2026-9145, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: Wordfence

Description

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Arbitrary File Copy via the create_entry_el() function in versions up to, and including, 1.5.1. The function reads raw_value from Elementor Pro's Form_Record object for upload-type fields and passes it directly to PHP's copy() without validating that the value corresponds to a legitimately uploaded file β€” when no file is present in $_FILES, raw_value reflects the attacker-controlled POST string. copy() accepts both local filesystem paths and URL sources, so the attacker can target any file readable by the PHP process or supply an attacker-controlled remote URL. Elementor Pro is a prerequisite for triggering the code path (it owns the elementor_pro/forms/new_record hook and populates the Form_Record object), but the bug itself is entirely in Contact Form Entries' handler. This could allow unauthenticated attackers to disclose arbitrary files on the affected site's server. The file is copied to a directory unknown to the attacker; the hashed directory name provides defense-in-depth but is generated from non-cryptographic sources (uniqid() + rand()) and should not be relied upon as the primary mitigation.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
contact_form_7 contact_form_7 to 1.5.1 (inc)
elementor elementor_pro to 1.5.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Database for Contact Form 7, WPforms, and Elementor forms plugin for WordPress, specifically in versions up to and including 1.5.1. It involves the create_entry_el() function which reads a value called raw_value from Elementor Pro's Form_Record object for upload-type fields and passes it directly to PHP's copy() function without validating whether the file was legitimately uploaded.

Because copy() accepts both local filesystem paths and URLs, an attacker can supply a malicious POST string that tricks the function into copying arbitrary files from the server or from remote URLs. Elementor Pro is required to trigger this vulnerability, but the flaw itself is in the Contact Form Entries handler.

This allows unauthenticated attackers to disclose arbitrary files on the affected server, potentially exposing sensitive information. Although the copied files are placed in a hashed directory to provide some defense, the hashing method is weak and should not be relied upon as a primary protection.

Impact Analysis

This vulnerability can allow unauthenticated attackers to read and disclose arbitrary files on your WordPress server. This could lead to exposure of sensitive data such as configuration files, credentials, or other private information stored on the server.

Because the attacker can supply arbitrary file paths or URLs, they might access files that should not be publicly accessible, increasing the risk of data breaches.

The impact is rated with a CVSS base score of 6.5, indicating a medium severity with high confidentiality impact but low integrity and no availability impact.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9145. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart