Contact Form & Lead Form Elementor Builder < 2.0.2 – Authenticated (Subscriber+) Information Exposure | CVE 2025-68046 | Plugin Vulnerabilities

Description

The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.

Affects Plugins

lead-form-builder

Fixed in 2.0.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/086a32cc-f3af-4dab-921e-9ae6d1b73ae8

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

benzdeus

Verified

No

WPVDB ID

e91cf69f-a2fa-452b-80d2-ce2fbcb12f7f

Timeline

Publicly Published

2026-01-20 (about 3 months ago)

Added

2026-01-28 (about 3 months ago)

Last Updated

2026-02-24 (about 2 months ago)

Other

Published

Title

Published

2023-11-28

Title

BigCommerce <= 5.1.2 - Unauthenticated Sensitive Information Exposure

Published

2025-02-27

Title

Post Grid and Gutenberg Blocks – ComboBlocks < 2.3.7 - Unauthenticated User Information Exposure

Published

2023-12-28

Title

WP Stripe Checkout < 1.2.2.38 - Sensitive Information Exposure via Debug Log

Published

2024-11-26

Title

ProfilePress < 4.15.19 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

Published

2026-05-01

Title

Dokan: AI Powered WooCommerce Multivendor Marketplace Solution < 4.3.2 - Unauthenticated Information Disclosure in Store Reviews REST API Endpoint