WordPress Plugin Vulnerabilities

Database for Contact Form 7, WPforms, Elementor forms < 1.5.0 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Shortcode

Description

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the entries_shortcode() function in all versions up to, and including, 1.4.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract all form submissions - including names, emails, phone numbers.

Affects Plugins

Plugin icon
contact-form-entries
Fixed in 1.5.0

References

CVE
CVE-2026-3831
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a033ea44-8084-44c1-8e24-bdb1b61c3566

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
2.7 (Low)

Miscellaneous

Original Researcher
Quốc Huy (jtwings)
Verified
No
WPVDB ID
8f6a0b80-cb22-4991-99f7-62ce7c944fa3

Timeline

Publicly Published
2026-03-31 (about 1 month ago)
Added
2026-03-31 (about 1 month ago)
Last Updated
2026-04-01 (about 1 month ago)

Other

Published
Title
Published
2026-02-10
Title
Twitter posts to Blog <= 1.11.25 - Missing Authorization to Unauthenticated Plugin Settings Update
Published
2026-02-23
Title
WBW Currency Switcher for WooCommerce < 2.2.6 - Missing Authorization
Published
2025-12-22
Title
Premium Addons for Elementor < 4.11.54 - Unauthenticated Sensitive Information Exposure
Published
2024-05-14
Title
WP Fundraising Donation and Crowdfunding Platform < 1.7.0 - Missing Authorization
Published
2024-11-22
Title
Product Table for WooCommerce by CodeAstrology (wooproducttable.com) < 3.5.2 - Information Exposure