CVE-2026-0825 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the crmperks Database plugin for Contact Form 7, WPforms, and Elementor forms on WordPress platforms, specifically all versions up to and including 1.4.5. The vulnerability stems from a missing capability check on the CSV export functionality, which is intended to allow authorized users to export form submission data. However, the CSV export handler does not enforce user permission filtering, unlike the shortcode that displays entries filtered by user. As a result, an unauthenticated attacker can access the CSV export endpoint by leveraging an export key that is inadvertently exposed in publicly accessible page source code. This exposure allows attackers to download all form submission data, including sensitive personally identifiable information (PII), without requiring authentication or user interaction. The vulnerability has a CVSS 3.1 base score of 5.3, indicating medium severity, with an attack vector of network (remote), low attack complexity, no privileges required, and no user interaction needed. Although no known exploits have been reported in the wild, the vulnerability presents a significant risk of data leakage, especially for websites collecting sensitive user data through forms. The root cause is a design flaw in authorization logic within the plugin's CSV export feature, which bypasses critical access controls.

The primary impact of CVE-2026-0825 is the unauthorized disclosure of sensitive form submission data, including personally identifiable information (PII). This can lead to privacy violations, regulatory non-compliance (e.g., GDPR, CCPA), reputational damage, and potential legal liabilities for affected organizations. Attackers can remotely and anonymously download all stored form data without authentication, increasing the risk of large-scale data breaches. Organizations relying on these WordPress plugins for contact forms, surveys, or customer feedback are particularly vulnerable. The exposure of PII can facilitate identity theft, phishing campaigns, and other targeted attacks. Additionally, the breach of trust with customers or users may result in loss of business and erosion of brand reputation. Since the vulnerability does not affect integrity or availability, the impact is confined to confidentiality loss, but the scope is broad given the widespread use of these plugins.

To mitigate CVE-2026-0825, organizations should immediately upgrade the crmperks Database plugin to a patched version once available, as no patch links are currently provided but likely forthcoming. In the interim, administrators should restrict access to the CSV export functionality by implementing web application firewall (WAF) rules that block access to the export endpoint from unauthenticated or untrusted sources. Review and remove any publicly exposed export keys from page source code or configuration files. Disable or remove the CSV export feature if not essential. Conduct an audit of stored form data to assess potential exposure and notify affected users if a breach is suspected. Additionally, implement strict access controls and monitoring on WordPress admin areas and plugin functionalities. Regularly scan for unauthorized data access attempts and ensure that all plugins are kept up to date with security patches. Employ security best practices such as least privilege principles and segmentation of sensitive data storage.