CVE-2026-3831 is a vulnerability identified in the crmperks Database plugin used with popular WordPress form plugins: Contact Form 7, WPforms, and Elementor forms. The root cause is a missing authorization check (CWE-862) in the entries_shortcode() function, which is responsible for displaying form submission entries. This flaw allows any authenticated user with Contributor-level permissions or higher to bypass intended access controls and retrieve all stored form submissions. These submissions typically contain personally identifiable information (PII) such as names, email addresses, and phone numbers collected via web forms. The vulnerability affects all versions up to 1.4.9 inclusive. Exploitation requires no additional user interaction but does require the attacker to have an account with Contributor or higher privileges on the WordPress site. The CVSS v3.1 base score is 4.3, indicating a medium severity primarily due to the confidentiality impact and the low attack complexity. No integrity or availability impacts are noted. No public exploits or patches are currently available, but the vulnerability is publicly disclosed and assigned CVE-2026-3831. The lack of authorization checks in a function that outputs sensitive data represents a significant security oversight, especially given the widespread use of these form plugins across WordPress sites globally.

The primary impact of this vulnerability is unauthorized disclosure of sensitive user data collected through web forms, including names, emails, and phone numbers. This can lead to privacy violations, identity theft, phishing attacks, and reputational damage for affected organizations. Since Contributor-level access is sufficient for exploitation, attackers do not need administrative privileges, increasing the risk if user accounts are compromised or improperly assigned. The vulnerability does not affect data integrity or availability, so it does not enable data modification or service disruption. However, the exposure of PII can have regulatory compliance implications under laws such as GDPR, CCPA, and others. Organizations relying on these plugins for customer interaction, lead generation, or support may face significant trust and legal consequences if exploited. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly documented and could be targeted in the future.

1. Immediately audit and restrict user roles to ensure that only trusted users have Contributor-level or higher access. 2. Temporarily disable or restrict access to the crmperks Database plugin's entries display functionality until a patch is available. 3. Monitor WordPress user accounts for suspicious activity, especially those with Contributor or higher roles. 4. Implement strict access control policies and consider using a Web Application Firewall (WAF) to detect and block unauthorized attempts to access form submissions. 5. Regularly update all WordPress plugins and core software to the latest versions once the vendor releases a patch addressing this vulnerability. 6. Educate site administrators about the risks of over-privileging users and enforce the principle of least privilege. 7. Consider alternative plugins or custom solutions with robust authorization checks if immediate patching is not feasible. 8. Review and enhance logging and alerting mechanisms to detect potential exploitation attempts early.