What the vulnerability does
01Description
The Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to unauthorized access of data that leads to privilege escalation due to a missing capability check on the get_table_data() function in versions 0.5.4 to 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve plugin table data that can expose email log information. Attackers can leverage this on sites where the table log is enabled in order to trigger a password reset and obtain the reset key.
Explanation of Vulnerability in Simple Terms
02Summary
Tablesome Table plugin versions 0.5.4 through 1.2.1 fail to properly check user permissions before allowing access to form data and settings. A logged-in user with minimal privileges can view, modify, or delete form submissions and configuration belonging to other users or the site administrator. This affects all supported form builders including WPForms, Contact Form 7, Gravity Forms, Forminator, and Fluent Forms.
What an attacker can do
03Attacker Capabilities
Read, modify, or delete form submissions and settings without proper authorization.
Potential impact on your site
04Site Impact
Form data and configurations are exposed to any logged-in user; sensitive submissions may be altered or deleted.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account (subscriber or contributor level) on the WordPress site.
Key dates
06Disclosure timeline
February 19, 2026
CVE published
February 19, 2026
Record updated