What the vulnerability does
01Description
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the entries_shortcode() function in all versions up to, and including, 1.4.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract all form submissions - including names, emails, phone numbers.
Explanation of Vulnerability in Simple Terms
02Summary
The Database for Contact Form 7, WPforms, and Elementor forms plugin for WordPress does not properly check user permissions before allowing access to stored form data. A logged-in user with low privileges can view contact form submissions and other data they should not have access to. Update to a version newer than 1.4.9.
What an attacker can do
03Attacker Capabilities
View contact form submissions and stored data belonging to other users or forms.
Potential impact on your site
04Site Impact
Visitor and customer data from contact forms may be exposed to unauthorized WordPress users.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege WordPress user account (e.g., subscriber or contributor).
Key dates
06Disclosure timeline
April 1, 2026
CVE published
April 8, 2026
Record updated