CVE-2023-25969 MEDIUM

CVE-2023-25969: WordPress Contact Form & Lead Form Elementor Builder plugin <= 1.8.4 - Broken Access Control vulnerability

Vendor Themehunk
Product Contact Form & Lead Form Elementor Builder
Weakness CWE-862 · Missing authorization
Published June 11, 2026
Last update June 11, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

Missing Authorization vulnerability in ThemeHunk Contact Form & Lead Form Elementor Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Contact Form & Lead Form Elementor Builder: from n/a through 1.8.4.

Explanation of Vulnerability in Simple Terms

02Summary

The Contact Form & Lead Form Elementor Builder plugin for WordPress does not properly validate user permissions before allowing form submissions and modifications. An attacker can submit forms or alter form data by tricking a site visitor into clicking a malicious link. This affects versions up to 1.8.4 and can result in unauthorized data changes or form tampering.

What an attacker can do

03Attacker Capabilities

Submit forms or modify form data without proper authorization by tricking a user into clicking a link.

Potential impact on your site

04Site Impact

Form submissions may be altered or spoofed, and form data integrity cannot be guaranteed without updating the plugin.

Conditions required to exploit

05Prerequisites

User interaction required; attacker must trick a site visitor into clicking a malicious link or visiting a crafted page.

Key dates

06Disclosure timeline

June 11, 2026 CVE published
June 11, 2026 Record updated

Related vulnerabilities

08Related CVE