What the vulnerability does
01Description
The WS Form LITE – Drag & Drop Contact Form Builder for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_config' function in all versions up to, and including, 1.10.35. This makes it possible for unauthenticated attackers to read the value of the plugin's settings, including API keys for integrated services.
Explanation of Vulnerability in Simple Terms
02Summary
WS Form LITE versions up to 1.10.35 fail to properly check user permissions before allowing access to form data and settings. An unauthenticated attacker can read sensitive information from forms without authorization. Site owners should update to a version newer than 1.10.35 to restore proper access controls.
What an attacker can do
03Attacker Capabilities
Read sensitive form data and configuration without logging in.
Potential impact on your site
04Site Impact
Visitor data, form submissions, and plugin settings may be exposed to anyone on the internet.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
April 25, 2025
CVE published
April 8, 2026
Record updated