{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4659", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-13T16:45:45.792Z", "datePublished": "2025-05-30T05:23:20.289Z", "dateUpdated": "2026-04-08T17:14:09.172Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:14:09.172Z"}, "affected": [{"vendor": "crmperks", "product": "Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website."}], "title": "Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.4 - Unauthenticated Full Path Disclosure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a99456c4-c828-4dc9-9375-8981eafbeb15?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3299864/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "cweId": "CWE-200", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Fabian Rosales"}], "timeline": [{"time": "2025-05-29T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-30T12:32:04.183070Z", "id": "CVE-2025-4659", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-30T12:32:12.012Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4659", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-30T12:32:04.183070Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-30T12:32:08.546Z"}}], "cna": {"title": "Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.4 - Unauthenticated Full Path Disclosure", "credits": [{"lang": "en", "type": "finder", "value": "Fabian Rosales"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "crmperks", "product": "Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.4.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-29T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a99456c4-c828-4dc9-9375-8981eafbeb15?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3299864/"}], "descriptions": [{"lang": "en", "value": "The Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:14:09.172Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4659", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:14:09.172Z", "dateReserved": "2025-05-13T16:45:45.792Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-30T05:23:20.289Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website."}, {"lang": "es", "value": "El complemento Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms para WordPress es vulnerable a la divulgaci\u00f3n de ruta completa en todas las versiones hasta la 1.4.4 incluida. Esto permite a atacantes no autenticados obtener la ruta completa de la aplicaci\u00f3n web, lo que puede utilizarse para otros ataques. La informaci\u00f3n mostrada no es \u00fatil por s\u00ed sola y requiere otra vulnerabilidad para que se produzcan da\u00f1os en el sitio web afectado."}], "id": "CVE-2025-4659", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-30T06:15:28.797", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3299864/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a99456c4-c828-4dc9-9375-8981eafbeb15?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T20:35:55.628853+00:00", "value": {"mitigation_remediation": ["Update the plug\u2011in to the most recent release that removes the path disclosure flaw.", "If an update cannot be applied immediately, disable or delete the plug\u2011in to stop the disclosure from occurring.", "After applying the patch or disabling the plug\u2011in, perform a security scan to confirm that no sensitive paths are exposed."], "summary": {"action": "Immediate Patch", "impact": "Full Path Disclosure"}, "threat_synthesis": {"affected_systems": "All releases of the Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms by crmperks up to and including version 1.4.4 are affected. The plugin is distributed through the WordPress plugin repository and is installed on WordPress sites that use any of the supported form platforms.", "description_and_impact": "The Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plug\u2011in for WordPress allows unauthenticated users to retrieve the full file system path of the web application. This disclosure can assist attackers in mapping the environment and planning subsequent attacks, though the information itself is not actionable without another vulnerability. The weakness is categorized as CWE-200, where sensitive system information is exposed.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity. The EPSS score of less than 1 percent shows a low probability of exploitation in the near term. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires an unauthenticated attacker to access the plugin\u2019s disclosure endpoint; further damage would depend on the presence of additional weaknesses on the target site."}}}}, "created": "2026-04-21T20:45:25.976125+00:00", "updated": "2026-04-21T20:45:25.976139+00:00", "vendors": []}