CVE-2026-0825: CWE-862 Missing Authorization in crmperks Database for Contact Form 7, WPforms, Elementor forms
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the CSV export functionality in all versions up to, and including, 1.4.5. This makes it possible for unauthenticated attackers to download sensitive form submission data containing personally identifiable information (PII) by accessing the CSV export endpoint with an export key that is exposed in publicly accessible page source code. The vulnerability is created because while the shortcode properly filters displayed entries by user, the CSV export handler completely bypasses this filtering and exports all entries regardless of user permissions.
AI Analysis
Technical Summary
The vulnerability identified as CVE-2026-0825 affects the Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress. It is caused by missing authorization checks on the CSV export endpoint, allowing unauthenticated attackers to access and download all form submission data by using an export key exposed in publicly accessible page source code. While the plugin's shortcode properly restricts data display based on user permissions, the CSV export handler bypasses these restrictions, leading to unauthorized data exposure. This issue impacts all versions up to and including 1.4.5. The CVSS 3.1 base score is 5.3, reflecting a medium severity with network attack vector, low complexity, no privileges required, and no user interaction needed.
Potential Impact
An attacker can obtain sensitive personally identifiable information (PII) submitted via forms by exploiting the missing authorization checks on the CSV export functionality. This unauthorized data access could lead to privacy violations and potential misuse of exposed information. There is no indication of data modification or availability impact. No known exploits have been reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the CSV export endpoint and avoid exposing export keys in publicly accessible page source code. Monitor for vendor updates and apply patches promptly once released.
CVE-2026-0825: CWE-862 Missing Authorization in crmperks Database for Contact Form 7, WPforms, Elementor forms
Description
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the CSV export functionality in all versions up to, and including, 1.4.5. This makes it possible for unauthenticated attackers to download sensitive form submission data containing personally identifiable information (PII) by accessing the CSV export endpoint with an export key that is exposed in publicly accessible page source code. The vulnerability is created because while the shortcode properly filters displayed entries by user, the CSV export handler completely bypasses this filtering and exports all entries regardless of user permissions.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability identified as CVE-2026-0825 affects the Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress. It is caused by missing authorization checks on the CSV export endpoint, allowing unauthenticated attackers to access and download all form submission data by using an export key exposed in publicly accessible page source code. While the plugin's shortcode properly restricts data display based on user permissions, the CSV export handler bypasses these restrictions, leading to unauthorized data exposure. This issue impacts all versions up to and including 1.4.5. The CVSS 3.1 base score is 5.3, reflecting a medium severity with network attack vector, low complexity, no privileges required, and no user interaction needed.
Potential Impact
An attacker can obtain sensitive personally identifiable information (PII) submitted via forms by exploiting the missing authorization checks on the CSV export functionality. This unauthorized data access could lead to privacy violations and potential misuse of exposed information. There is no indication of data modification or availability impact. No known exploits have been reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the CSV export endpoint and avoid exposing export keys in publicly accessible page source code. Monitor for vendor updates and apply patches promptly once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-01-09T18:47:18.941Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6979b5554623b1157c9a94c6
Added to database: 1/28/2026, 7:05:57 AM
Last enriched: 4/9/2026, 6:21:30 PM
Last updated: 5/10/2026, 8:48:26 AM
Views: 160
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.