What the vulnerability does
01Description
Missing Authorization vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.58.
Explanation of Vulnerability in Simple Terms
02Summary
Contact Form Email versions up to 1.3.58 lack proper authorization checks, allowing authenticated users to read sensitive data they should not access. An attacker with a low-privilege account can retrieve confidential information from the plugin without additional interaction. This affects all installations running the vulnerable version range.
What an attacker can do
03Attacker Capabilities
Read sensitive data from the plugin that should be restricted to higher-privilege users.
Potential impact on your site
04Site Impact
Any registered user can access confidential information stored or processed by the Contact Form Email plugin.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege authenticated account on the site.
Key dates
06Disclosure timeline
November 13, 2025
CVE published
April 28, 2026
Record updated