CVE-2025-12845 is a critical vulnerability identified in the Tablesome Table – Contact Form DB plugin for WordPress, specifically affecting versions from 0.5.4 up to 1.2.1. The root cause is a missing authorization check (CWE-862) in the get_table_data() function, which fails to verify if the requesting user has sufficient privileges to access sensitive data stored by the plugin. This flaw allows any authenticated user with at least Subscriber-level access to retrieve plugin table data, including email logs that may contain sensitive information. Since the plugin integrates with widely used WordPress form plugins such as WPForms, Contact Form 7 (CF7), Gravity Forms, Forminator, and Fluent Forms, the attack surface is broad. Attackers can leverage the exposed email log data to initiate password reset processes and capture reset keys, effectively escalating their privileges and potentially taking over accounts. The vulnerability is remotely exploitable over the network without user interaction, with a CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability. No patches or exploit code are currently publicly available, but the risk remains significant due to the ease of exploitation and the sensitive nature of the data exposed.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of user data, particularly email addresses and password reset tokens. Exploitation can lead to unauthorized account access, data leakage, and potential lateral movement within the affected WordPress environment. Organizations relying on the affected plugins for customer interaction, lead generation, or internal forms may face reputational damage, regulatory non-compliance (e.g., GDPR breaches due to exposure of personal data), and operational disruption. The ability to escalate privileges from a low-level authenticated user to higher privileges increases the threat level, especially in environments where user registration is open or loosely controlled. Given the widespread use of WordPress and these popular form plugins across European businesses, educational institutions, and government websites, the potential impact is broad and severe.

Organizations should immediately audit their WordPress installations for the presence of the Tablesome Table – Contact Form DB plugin and verify the version in use. If affected versions (0.5.4 to 1.2.1) are detected, they should upgrade to the latest patched version as soon as it becomes available. In the absence of an official patch, temporarily disabling the plugin or restricting access to authenticated users with higher privileges only can reduce risk. Implement strict user role management to limit Subscriber-level accounts and monitor logs for unusual access patterns to the plugin’s data endpoints. Additionally, enforce multi-factor authentication (MFA) for all user accounts to mitigate the risk of account takeover via password reset abuse. Regularly review and sanitize form data logs to minimize sensitive information retention. Network-level protections such as web application firewalls (WAFs) can be configured to detect and block suspicious requests targeting the vulnerable function. Finally, maintain an incident response plan to quickly address any signs of exploitation.