WordPress Plugin Vulnerabilities

Contact Form by WPForms < 1.10.0.3 - Cross-Site Request Forgery

Description

The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
wpforms-lite
Fixed in 1.10.0.3

References

CVE
CVE-2026-40764
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9009deff-bf5a-4434-8f73-1485f733d599

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
vladimir tokarev
Verified
No
WPVDB ID
c5d7c49b-06f4-4937-a2b3-f4d1ca1cf4b4

Timeline

Publicly Published
2026-03-31 (about 1 month ago)
Added
2026-05-08 (about 6 days ago)
Last Updated
2026-05-08 (about 6 days ago)

Other

Published
Title
Published
2023-04-13
Title
Ultimate Noindex Nofollow Tool II < 1.3.4 - Settings Update via CSRF
Published
2016-04-12
Title
WordPress <= 4.4.2 - Script Compression Option CSRF
Published
2023-05-24
Title
Download < 1.1.0 - Cross-Site Request Forgery
Published
2025-01-16
Title
Cookie Consent & Autoblock for GDPR/CCPA <= 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2023-11-06
Title
ImageMapper <= 1.2.6 - Stored XSS via CSRF