Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent 0.5.4 – 1.2.1 – Missing Authorization to Authenticated (Subscriber+) Information Exposure and Privilege Escalation | CVE 2025-12845 | Plugin Vulnerabilities

Description

The Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to unauthorized access of data that leads to privilege escalation due to a missing capability check on the get_table_data() function in versions 0.5.4 to 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve plugin table data that can expose email log information. Attackers can leverage this on sites where the table log is enabled in order to trigger a password reset and obtain the reset key.

Affects Plugins

Fixed in 1.2.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a22b2724-2541-4345-bd42-e8a5844f3f0a

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

kr0d

Verified

No

WPVDB ID

6d234774-c409-48eb-b10d-c8f740f9c80c

Timeline

Publicly Published

2026-02-18 (about 3 months ago)

Added

2026-02-18 (about 3 months ago)

Last Updated

2026-02-19 (about 3 months ago)

Other

Published

Title

Published

2024-01-05

Title

Hostinger < 1.9.8 - Unauthenticated Maintenance Mode Toggle

Published

2025-12-22

Title

Poll, Survey & Quiz Maker Plugin by Opinion Stage < 19.12.1 - Missing Authorization

Published

2025-03-13

Title

WP Ghost < 5.4.02 - Unauthenticated Limited File Read

Published

2024-03-29

Title

Spiffy Calendar < 4.9.11 - Missing Authorization

Published

2025-01-31

Title

WooCommerce Support Ticket System < 17.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion and Information Exposure