CVE-2026-0825 is a vulnerability classified under CWE-862 (Missing Authorization) found in the crmperks Database plugin for popular WordPress form builders: Contact Form 7, WPforms, and Elementor forms. This plugin provides a CSV export feature for form submission data. The vulnerability exists because the CSV export endpoint lacks proper authorization checks, allowing unauthenticated users to access and download all stored form submissions. The root cause is that while the shortcode used to display entries enforces user-based filtering, the CSV export handler does not apply these filters and does not verify user capabilities. Attackers can exploit this by discovering an export key embedded in publicly accessible page source code, which acts as a weak form of authentication but is effectively exposed. This enables attackers to retrieve sensitive data, including personally identifiable information (PII) submitted through forms, without needing to authenticate or interact with the system beyond accessing the export URL. The vulnerability affects all plugin versions up to 1.4.5, and no patches or updates are currently linked. The CVSS 3.1 score of 5.3 reflects a network attack vector with low complexity, no privileges required, no user interaction, and a confidentiality impact limited to partial data disclosure without integrity or availability impact. No known exploits have been reported in the wild as of the publication date.

For European organizations, this vulnerability poses a significant risk to the confidentiality of personal data collected via WordPress forms, which often include sensitive customer or employee information protected under GDPR. Unauthorized access to PII can lead to data breaches, regulatory penalties, reputational damage, and loss of customer trust. Since WordPress is widely used across Europe and these form plugins are popular for data collection, the scope of affected systems is broad. The lack of authentication requirements and the exposure of the export key in public page source code make exploitation straightforward for attackers scanning for vulnerable sites. This could facilitate large-scale data exfiltration campaigns targeting European businesses, non-profits, and government entities using these plugins. The impact is primarily on confidentiality; integrity and availability are not affected. However, the exposure of PII can trigger compliance investigations and necessitate costly incident response and notification efforts.

European organizations should immediately audit their WordPress sites using the crmperks Database plugin for Contact Form 7, WPforms, or Elementor forms to determine if they are running affected versions (up to 1.4.5). If so, they should disable the CSV export functionality or restrict access to the export endpoint via web application firewall (WAF) rules or server-level access controls to prevent unauthenticated access. Since no official patches are currently linked, organizations should monitor vendor communications for updates or patches addressing this issue. Additionally, they should remove or obfuscate the export key from publicly accessible page source code to reduce exposure. Implementing strict role-based access controls and ensuring that export functions require proper authentication and authorization is critical. Regularly reviewing form submission data access logs and scanning for unusual export activity can help detect exploitation attempts. Finally, organizations should prepare incident response plans for potential data breaches involving form data and ensure GDPR compliance measures are in place.