WordPress Plugin Vulnerabilities

Contact Form by BestWebSoft < 4.3.7 - Missing Authorization

Description

The Contact Form by BestWebSoft plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.3.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
contact-form-plugin
Fixed in 4.3.7

References

CVE
CVE-2025-63056
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/32506176-6e74-4889-9cbd-111a57980b0c

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Phat RiO
Verified
No
WPVDB ID
14ba273a-815d-4a4f-a69b-4c57cff90190

Timeline

Publicly Published
2025-12-07 (about 6 months ago)
Added
2025-12-10 (about 6 months ago)
Last Updated
2026-04-15 (about 2 months ago)

Other

Published
Title
Published
2026-03-10
Title
Avada (Fusion) Builder < 3.15.0 - Missing Authorization
Published
2023-08-16
Title
Comments Like Dislike < 1.2.0 - Subscriber+ Settings Reset
Published
2022-06-30
Title
Accordions < 2.0.3 - Unauthenticated Arbitrary Options Update
Published
2025-11-09
Title
WooCommerce Recover Abandoned Cart < 24.7.0 - Missing Authorization to Unauthenticated Arbitrary Content Deletion
Published
2026-06-17
Title
MStore API – Create Native Android & iOS Apps On The Cloud < 4.19.0 - Missing Authorization