What the vulnerability does
01Description
Authorization Bypass Through User-Controlled Key vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.60.
Explanation of Vulnerability in Simple Terms
02Summary
Contact Form Email versions up to 1.3.60 contain a vulnerability allowing attackers to modify form data and disrupt service without authentication. The flaw stems from insufficient input validation in form processing. Attackers can exploit this over the network with no special privileges or user interaction required.
What an attacker can do
03Attacker Capabilities
Modify contact form submissions and cause the form to become unavailable or malfunction.
Potential impact on your site
04Site Impact
Contact forms may accept corrupted data or stop working, disrupting visitor communication and potentially affecting business operations.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
December 18, 2025
CVE published
April 28, 2026
Record updated