CVE-2025-12845 HIGH

CVE-2025-12845: Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent 0.5.4 - 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Information Exposure and Privilege Escalation

Vendor Essekia
Product Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent
Weakness CWE-862 · Missing authorization
Published February 19, 2026
Last update February 19, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to unauthorized access of data that leads to privilege escalation due to a missing capability check on the get_table_data() function in versions 0.5.4 to 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve plugin table data that can expose email log information. Attackers can leverage this on sites where the table log is enabled in order to trigger a password reset and obtain the reset key.

Explanation of Vulnerability in Simple Terms

02Summary

Tablesome Table plugin versions 0.5.4 through 1.2.1 fail to properly check user permissions before allowing access to form data and settings. A logged-in user with minimal privileges can view, modify, or delete form submissions and configuration belonging to other users or the site administrator. This affects all supported form builders including WPForms, Contact Form 7, Gravity Forms, Forminator, and Fluent Forms.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete form submissions and settings without proper authorization.

Potential impact on your site

04Site Impact

Form data and configurations are exposed to any logged-in user; sensitive submissions may be altered or deleted.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account (subscriber or contributor level) on the WordPress site.

Key dates

06Disclosure timeline

February 19, 2026 CVE published
February 19, 2026 Record updated

Related vulnerabilities

08Related CVE