CVE-2025-31045 HIGH

CVE-2025-31045: WordPress elfsight Contact Form widget plugin <= 2.3.1 - Sensitive Data Exposure Vulnerability

Vendor Elfsight
Product elfsight Contact Form widget
Weakness CWE-497
Published June 9, 2025
Last update April 28, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in elfsight elfsight Contact Form widget elfsight-contact-form allows Retrieve Embedded Sensitive Data.This issue affects elfsight Contact Form widget: from n/a through <= 2.3.1.

Explanation of Vulnerability in Simple Terms

02Summary

The Elfsight Contact Form widget versions 2.3.1 and earlier expose sensitive information to unauthenticated attackers over the network. An attacker can read data that should be confidential without needing to log in or interact with a user. The vulnerability stems from improper exposure of internal data structures. Update to a version newer than 2.3.1.

What an attacker can do

03Attacker Capabilities

Read sensitive data from the contact form widget without authentication.

Potential impact on your site

04Site Impact

Confidential information handled by the contact form may be exposed to anyone on the internet.

Conditions required to exploit

05Prerequisites

Network access to the site; no login or user interaction required.

Key dates

06Disclosure timeline

June 9, 2025 CVE published
April 28, 2026 Record updated