CVE-2025-64369 identifies a missing authorization vulnerability in the codepeople Contact Form Email plugin, affecting all versions up to and including 1.3.58. This vulnerability arises from incorrectly configured access control security levels, allowing attackers with low privileges (PR:L) to bypass authorization checks and access or manipulate contact form data without proper permissions. The attack vector is network-based (AV:N), requiring no user interaction (UI:N), and the scope remains unchanged (S:U). The vulnerability impacts confidentiality (C:H) but does not affect integrity (I:N) or availability (A:N). The plugin is commonly used in WordPress environments to handle contact form submissions and email forwarding. Exploitation could lead to unauthorized disclosure of sensitive information submitted through contact forms, such as personal data or business inquiries. Although no exploits have been reported in the wild, the vulnerability's medium CVSS score (6.5) reflects a significant risk, especially in environments where the plugin is widely deployed. The lack of patches at the time of publication necessitates immediate attention to access control configurations and monitoring for suspicious activity. Organizations should also prepare to apply vendor patches once released to remediate the issue fully.

For European organizations, the primary impact of CVE-2025-64369 is the potential unauthorized disclosure of sensitive data collected via contact forms, which may include personal identifiable information (PII), business communications, or other confidential data. This can lead to privacy violations under GDPR, reputational damage, and potential regulatory fines. Since the vulnerability requires low privilege authentication, attackers who gain minimal access to the web environment could escalate their capabilities to extract sensitive information. The absence of impact on integrity and availability limits the threat to data confidentiality, but the exposure of sensitive information can still have severe consequences, especially for sectors handling critical or regulated data such as finance, healthcare, and government services. The medium severity suggests a moderate risk level, but the ease of exploitation and the widespread use of WordPress plugins in Europe increase the likelihood of targeted attacks. Organizations relying on this plugin should consider the risk of data breaches and implement compensating controls until patches are available.

1. Immediately audit and tighten access control configurations on the Contact Form Email plugin to ensure that only authorized users can access or manage contact form data. 2. Restrict plugin management and data access to trusted administrators and limit user privileges to the minimum necessary. 3. Monitor web server and application logs for unusual access patterns or attempts to exploit contact form endpoints. 4. Implement web application firewalls (WAF) with rules designed to detect and block unauthorized access attempts targeting the plugin. 5. Segregate sensitive data storage and ensure encryption of data at rest and in transit to reduce exposure risk. 6. Stay informed about vendor updates and apply patches promptly once released to address the vulnerability directly. 7. Conduct regular security assessments and penetration tests focusing on web application components, including plugins, to identify and remediate similar misconfigurations. 8. Educate web administrators and developers about secure plugin configuration and the risks of improper access control.