CVE-2025-3912 identifies a missing authorization vulnerability (CWE-862) in the WS Form LITE – Drag & Drop Contact Form Builder for WordPress plugin, versions up to and including 1.10.35. The vulnerability arises because the 'get_config' function does not perform any capability or permission checks before returning the plugin's configuration data. This oversight allows unauthenticated attackers to remotely invoke this function and retrieve sensitive configuration details, notably API keys used for integrated third-party services. These API keys could be leveraged to access or manipulate external services, potentially escalating the impact beyond the WordPress environment. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its risk profile. Although no public exploits have been reported yet, the medium CVSS score of 5.3 reflects the confidentiality impact due to data exposure, while integrity and availability remain unaffected. The vulnerability affects all versions of the plugin up to 1.10.35, which is widely used in WordPress sites for building contact forms via drag-and-drop interfaces. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for interim mitigations. This vulnerability was assigned and enriched by Wordfence and recognized by CISA, underscoring its relevance and the need for attention from site administrators.

The primary impact of CVE-2025-3912 is unauthorized disclosure of sensitive configuration data, including API keys for integrated services. This can lead to compromise of third-party accounts or services connected to the WordPress site, such as email marketing platforms, CRM systems, or payment gateways. Attackers could use exposed API keys to perform unauthorized actions, data exfiltration, or pivot attacks. Although the vulnerability does not directly affect site integrity or availability, the confidentiality breach can have cascading effects on business operations and customer data security. Organizations relying on this plugin risk exposure of sensitive credentials, which could result in reputational damage, regulatory non-compliance, and financial loss. The ease of exploitation without authentication or user interaction increases the likelihood of automated scanning and exploitation attempts. The scope is limited to WordPress sites using the vulnerable plugin, but given WordPress's global popularity, the number of affected sites could be substantial. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits rapidly once details are public.

1. Immediately audit all WordPress sites using WS Form LITE – Drag & Drop Contact Form Builder to identify affected versions (up to 1.10.35). 2. Monitor the vendor’s official channels for patches or updates addressing this vulnerability and apply them promptly once available. 3. Until a patch is released, restrict access to the plugin’s configuration endpoints by implementing web application firewall (WAF) rules that block unauthenticated requests targeting the 'get_config' function or related URLs. 4. Employ IP whitelisting or authentication mechanisms at the web server or application level to limit access to administrative or plugin configuration areas. 5. Rotate any API keys exposed or potentially exposed due to this vulnerability to invalidate compromised credentials. 6. Conduct regular security scans and monitor logs for unusual access patterns or attempts to access plugin configuration data. 7. Educate site administrators about the risks of using outdated plugins and the importance of timely updates. 8. Consider using alternative contact form plugins with a strong security track record if immediate patching is not feasible. 9. Implement principle of least privilege for API keys integrated with the plugin to minimize potential damage if keys are compromised.