{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25320", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:20:47.811Z", "datePublished": "2026-02-19T08:26:55.350Z", "dateUpdated": "2026-04-28T16:14:54.889Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "sb-elementor-contact-form-db", "product": "Elementor Contact Form DB", "vendor": "Cool Plugins", "versions": [{"changes": [{"at": "2.1.4", "status": "unaffected"}], "lessThanOrEqual": "2.1.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "You Ludwig | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:03.855Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Cool Plugins Elementor Contact Form DB sb-elementor-contact-form-db allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Elementor Contact Form DB: from n/a through <= 2.1.3.</p>"}], "value": "Missing Authorization vulnerability in Cool Plugins Elementor Contact Form DB sb-elementor-contact-form-db allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elementor Contact Form DB: from n/a through <= 2.1.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:54.889Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/sb-elementor-contact-form-db/vulnerability/wordpress-elementor-contact-form-db-plugin-2-1-3-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Elementor Contact Form DB plugin <= 2.1.3 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T20:25:58.403680Z", "id": "CVE-2026-25320", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T12:57:07.316Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25320", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:20:47.811Z", "datePublished": "2026-02-19T08:26:55.350Z", "dateUpdated": "2026-04-28T12:57:07.316Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "sb-elementor-contact-form-db", "product": "Elementor Contact Form DB", "vendor": "Cool Plugins", "versions": [{"changes": [{"at": "2.1.4", "status": "unaffected"}], "lessThanOrEqual": "2.1.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "You Ludwig | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:26:39.378Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Cool Plugins Elementor Contact Form DB sb-elementor-contact-form-db allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Elementor Contact Form DB: from n/a through <= 2.1.3.</p>"}], "value": "Missing Authorization vulnerability in Cool Plugins Elementor Contact Form DB sb-elementor-contact-form-db allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elementor Contact Form DB: from n/a through <= 2.1.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:49.090Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/sb-elementor-contact-form-db/vulnerability/wordpress-elementor-contact-form-db-plugin-2-1-3-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Elementor Contact Form DB plugin <= 2.1.3 - Broken Access Control vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25320", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T20:25:58.403680Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T20:25:04.773Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Cool Plugins Elementor Contact Form DB sb-elementor-contact-form-db allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elementor Contact Form DB: from n/a through <= 2.1.3."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Cool Plugins Elementor Contact Form DB sb-elementor-contact-form-db permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Elementor Contact Form DB: desde n/a hasta &lt;= 2.1.3."}], "id": "CVE-2026-25320", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:16.340", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/sb-elementor-contact-form-db/vulnerability/wordpress-elementor-contact-form-db-plugin-2-1-3-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.3]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[2.1.4,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Elementor Contact Form DB", "source": "cna", "vendor": "Cool Plugins"}, "product": "elementor_contact_form_db", "vendor": "cool_plugins"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T00:31:20.637940+00:00", "value": {"mitigation_remediation": ["Upgrade the Elementor Contact Form DB plugin to the latest stable version that removes the access control flaw.", "If the plugin is not needed, de\u2011install or disable it entirely to eliminate the attack surface.", "Configure role permissions so that only administrators can access the plugin\u2019s management interfaces, or use a security plugin to restrict non\u2011admin users from interacting with the plugin\u2019s backend functionality."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized access to restricted data or functionality"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed Cool Plugins Elementor Contact Form DB version 2.1.3 or older are impacted. The affected product is the plugin named Elementor Contact Form DB, distributed by Cool Plugins. No specific WordPress core or PHP version compatibility constraints are listed, so any site running the plugin within the stated version range is at risk.", "description_and_impact": "The vulnerability is a missing authorization flaw in the Cool Plugins Elementor Contact Form DB plugin. Because the plugin does not enforce proper access control, users can exploit incorrectly configured security levels, gaining access to actions and data that should be reserved for privileged users. The primary consequence is unauthorized data exposure or modification, which undermines confidentiality, integrity, and potentially availability of the site\u2019s content if the plugin handles event logs or system settings.", "risk_and_exploitability": "The CVSS score of 5.3 classifies the issue as moderate, indicating that while exploitation is not trivial, it can provide significant privileges to attackers. The EPSS score of less than 1% suggests that active exploitation in the wild is currently rare, and the vulnerability is not included in CISA\u2019s Known Exploited Vulnerabilities catalog. Based on the description, the likely attack vector is through authenticated access: an attacker with the ability to log into the WordPress backend\u2014potentially a low-privileged user\u2014could exploit the flaw to elevate privileges or leak sensitive information. If the plugin is misconfigured to allow public access to management pages, the risk could extend to unauthenticated users."}}}}, "created": "2026-02-20T10:09:03.379643+00:00", "updated": "2026-04-16T00:45:15.960605+00:00", "vendors": ["cool_plugins", "cool_plugins$PRODUCT$elementor_contact_form_db", "wordpress", "wordpress$PRODUCT$wordpress"]}