WordPress Plugin Vulnerabilities

WS Form LITE – Drag & Drop Contact Form Builder for WordPress < 1.10.36 - Missing Authorization to Unauthenticated Sensitive Information Exposure

Description

The WS Form LITE – Drag & Drop Contact Form Builder for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_config' function in all versions up to, and including, 1.10.35. This makes it possible for unauthenticated attackers to read the value of the plugin's settings, including API keys for integrated services.

Affects Plugins

Plugin icon
ws-form
Fixed in 1.10.36

References

CVE
CVE-2025-3912
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/3f6058e2-a5ec-43b2-9cb7-9efcf0853ffc

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Amin Beheshti
Verified
No
WPVDB ID
e70f8917-929f-4da0-98e8-ff5249c2a62b

Timeline

Publicly Published
2025-04-24 (about 1 year ago)
Added
2025-04-24 (about 1 year ago)
Last Updated
2025-04-25 (about 1 year ago)

Other

Published
Title
Published
2026-01-13
Title
Responsive Accordion Slider <= 1.2.2 - Missing Authorization to Authenticated (Contributor+) Slider Update via 'resp_accordion_silder_save_images'
Published
2024-04-12
Title
eRoom – Zoom Meetings & Webinar < 1.4.19 - Missing Authorization to Information Exposure
Published
2025-05-07
Title
QS Dark Mode <= 3.0 - Missing Authorization
Published
2025-10-12
Title
Masterstudy Elementor Widgets < 1.2.5 - Missing Authorization
Published
2026-01-27
Title
Frontend File Manager Plugin <= 23.5 - Unauthenticated Arbitrary Email Sending