{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25339", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:37.307Z", "datePublished": "2026-03-25T16:14:41.799Z", "dateUpdated": "2026-03-26T17:11:07.593Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wpforms-lite", "product": "Contact Form by WPForms", "vendor": "Syed Balkhi", "versions": [{"changes": [{"at": "1.9.9.2", "status": "unaffected"}], "lessThanOrEqual": "<= 1.9.8.7", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Cid_Kagenou_Sama | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:21.548Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Retrieve Embedded Sensitive Data.<p>This issue affects Contact Form by WPForms: from n/a through <= 1.9.8.7.</p>"}], "value": "Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Retrieve Embedded Sensitive Data.This issue affects Contact Form by WPForms: from n/a through <= 1.9.8.7."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-201", "description": "Insertion of Sensitive Information Into Sent Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:41.799Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wpforms-lite/vulnerability/wordpress-contact-form-by-wpforms-plugin-1-9-8-7-sensitive-data-exposure-vulnerability?_s_id=cve"}], "title": "WordPress Contact Form by WPForms plugin <= 1.9.8.7 - Sensitive Data Exposure vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T17:11:04.823749Z", "id": "CVE-2026-25339", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:11:07.593Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25339", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T17:11:04.823749Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:10:58.524Z"}}], "cna": {"title": "WordPress Contact Form by WPForms plugin <= 1.9.8.7 - Sensitive Data Exposure vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Cid_Kagenou_Sama | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "affected": [{"vendor": "Syed Balkhi", "product": "Contact Form by WPForms", "versions": [{"status": "affected", "changes": [{"at": "1.9.9.2", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 1.9.8.7"}], "packageName": "wpforms-lite", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:21.548Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wpforms-lite/vulnerability/wordpress-contact-form-by-wpforms-plugin-1-9-8-7-sensitive-data-exposure-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Retrieve Embedded Sensitive Data.This issue affects Contact Form by WPForms: from n/a through <= 1.9.8.7.", "supportingMedia": [{"type": "text/html", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Retrieve Embedded Sensitive Data.<p>This issue affects Contact Form by WPForms: from n/a through <= 1.9.8.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-201", "description": "Insertion of Sensitive Information Into Sent Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:41.799Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25339", "state": "PUBLISHED", "dateUpdated": "2026-03-26T17:11:07.593Z", "dateReserved": "2026-02-02T12:52:37.307Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:41.799Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Retrieve Embedded Sensitive Data.This issue affects Contact Form by WPForms: from n/a through <= 1.9.8.7."}, {"lang": "es", "value": "Inserci\u00f3n de Informaci\u00f3n Sensible en Datos Enviados vulnerabilidad en Formulario de Contacto de Syed Balkhi de WPForms wpforms-lite permite Recuperar Datos Sensibles Incrustados. Este problema afecta a Formulario de Contacto de WPForms: desde n/d hasta &lt;= 1.9.8.7."}], "id": "CVE-2026-25339", "lastModified": "2026-03-26T18:16:28.073", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:44.520", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wpforms-lite/vulnerability/wordpress-contact-form-by-wpforms-plugin-1-9-8-7-sensitive-data-exposure-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.9.8.7]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "1.9.9.2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Contact Form by WPForms", "source": "cna", "vendor": "Syed Balkhi"}, "product": "contact_form_by_wpforms", "vendor": "syed_balkhi"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T18:06:39.502403+00:00", "value": {"mitigation_remediation": ["Update the Contact Form by WPForms plugin to version 1.9.8.8 or later.", "If an immediate update is not possible, restrict the plugin\u2019s ability to process sensitive fields by disabling advanced options or removing optional private fields from the form. ", "Monitor site logs and plugin error logs for unusual form submission patterns or repeated access attempts to the plugin endpoint."], "summary": {"action": "Immediate Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "The bug affects the Contact Form by WPForms\u2014also known as wpforms-lite\u2014produced by Syed Balkhi. Any WordPress installation that uses the plugin in a version from the earliest release up through 1.9.8.7 is vulnerable. Sites running older releases are also impacted since the flaw has existed since the start of the product.", "description_and_impact": "The vulnerability allows an attacker to retrieve sensitive data that is embedded in messages sent by the Contact Form by WPForms plugin. An unauthorized party can expose confidential information such as personal details, contact information, or credentials that are meant to be private, causing a confidentiality breach. This flaw does not affect code execution or availability, but it allows the read of private data that should remain protected.", "risk_and_exploitability": "No CVSS or EPSS scores are provided, but the absence of a public exploit does not reduce the risk because the flaw enables direct exposure of sensitive data. The likely attack vector is an external user who submits a crafted form or directly requests the plugin\u2019s processing endpoint to retrieve embedded sensitive data. Because the plugin handles user form inputs, no special privileges are needed; a simple web request is sufficient. The impact of potentially leaking personal or confidential information is high, so the vulnerability should be treated with priority."}}}}, "created": "2026-03-25T21:34:01.786308+00:00", "updated": "2026-03-26T11:39:17.752792+00:00", "vendors": ["syed_balkhi", "syed_balkhi$PRODUCT$contact_form_by_wpforms", "wordpress", "wordpress$PRODUCT$wordpress"]}