CVE-2025-3912 is a security vulnerability identified in the WS Form LITE – Drag & Drop Contact Form Builder plugin for WordPress, developed by Westguard. This vulnerability arises from a missing authorization check (CWE-862) in the 'get_config' function present in all plugin versions up to and including 1.10.35. Specifically, the plugin fails to verify whether the requesting user has the necessary permissions to access configuration data. As a result, unauthenticated attackers can exploit this flaw to retrieve sensitive plugin settings, including API keys used for integrated third-party services. These API keys often grant access to external platforms or services, potentially enabling attackers to escalate their privileges or exfiltrate additional data. The vulnerability does not require any user authentication or interaction, making it easier to exploit remotely. Although no known exploits have been reported in the wild as of the publication date (April 25, 2025), the exposure of configuration data poses a significant risk to the confidentiality and integrity of affected systems. The vulnerability affects all versions of the WS Form LITE plugin up to 1.10.35, which is widely used in WordPress environments for building contact forms via drag-and-drop interfaces. The absence of a patch link indicates that a fix may not yet be publicly available, emphasizing the need for immediate mitigation measures by administrators using this plugin.

For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive configuration data, including API keys, which could be leveraged to compromise integrated services such as email marketing platforms, CRM systems, or other third-party APIs. This exposure threatens the confidentiality of organizational data and may facilitate further attacks, including data breaches or service disruptions. Given the widespread adoption of WordPress in Europe, especially among SMEs and public sector entities, the impact could be significant. Attackers exploiting this vulnerability could gain footholds in corporate networks or manipulate customer data, undermining trust and potentially violating data protection regulations such as GDPR. The integrity of the affected websites could also be compromised if attackers use the obtained credentials to alter form behavior or inject malicious content. Availability impact is limited but could arise indirectly if attackers disrupt integrated services or force plugin disablement. The medium severity rating reflects the balance between the ease of exploitation (no authentication required) and the scope of impact (exposure limited to configuration data rather than direct code execution).

1. Immediate mitigation should involve disabling or uninstalling the WS Form LITE plugin until a security patch is released. 2. If disabling is not feasible, restrict access to the WordPress REST API and AJAX endpoints that the plugin uses by implementing web application firewall (WAF) rules or server-level access controls to block unauthenticated requests targeting the 'get_config' function. 3. Monitor web server logs for unusual or repeated access attempts to the plugin’s configuration endpoints. 4. Rotate any API keys or credentials exposed through this vulnerability as soon as possible to prevent misuse. 5. Keep WordPress core and all plugins updated regularly and subscribe to vendor security advisories for timely patch deployment. 6. Employ the principle of least privilege for API keys and integrated services to limit potential damage if keys are compromised. 7. Consider deploying runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect anomalous behavior related to plugin exploitation attempts. 8. Conduct security audits on all third-party plugins to identify similar authorization issues proactively.