WordPress Plugin Vulnerabilities

Contact Form by WPForms < 1.9.9.4 - Missing Authorization

Description

The plugin is vulnerable to unauthorized access due to a missing capability check on a function. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
wpforms-lite
Fixed in 1.9.9.4

References

CVE
CVE-2026-32446
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c8e56c2c-b559-493f-bafa-501c5948d806

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
2.7 (low)

Miscellaneous

Original Researcher
davidfdzmorilla
Verified
No
WPVDB ID
319b838a-2d6f-4c1d-9eb1-d85ae076fba6

Timeline

Publicly Published
2026-03-07 (about 2 months ago)
Added
2026-04-16 (about 28 days ago)
Last Updated
2026-04-16 (about 28 days ago)

Other

Published
Title
Published
2023-12-05
Title
Post Duplicator < 2.32 - Missing Authorization via mtphr_duplicate_post
Published
2025-08-14
Title
WP Statistics < 14.15.2 - Missing Authorization
Published
2024-08-26
Title
JobSearch < 2.5.6 - Missing Authorization
Published
2025-06-05
Title
Product Feed for WooCommerce < 2.2.9 - Missing Authorization
Published
2022-10-30
Title
Corsa <= 1.5 - Subscriber+ Arbitrary Plugin Installation