{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25339", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:37.307Z", "datePublished": "2026-03-25T16:14:41.799Z", "dateUpdated": "2026-04-29T09:51:56.874Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wpforms-lite", "product": "Contact Form by WPForms", "vendor": "Syed Balkhi", "versions": [{"changes": [{"at": "1.9.9.2", "status": "unaffected"}], "lessThanOrEqual": "1.9.8.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Cid_Kagenou_Sama | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:22.338Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Retrieve Embedded Sensitive Data.<p>This issue affects Contact Form by WPForms: from n/a through <= 1.9.8.7.</p>"}], "value": "Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Retrieve Embedded Sensitive Data.This issue affects Contact Form by WPForms: from n/a through <= 1.9.8.7."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-201", "description": "Insertion of Sensitive Information Into Sent Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:56.874Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wpforms-lite/vulnerability/wordpress-contact-form-by-wpforms-plugin-1-9-8-7-sensitive-data-exposure-vulnerability?_s_id=cve"}], "title": "WordPress Contact Form by WPForms plugin <= 1.9.8.7 - Sensitive Data Exposure vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T17:11:04.823749Z", "id": "CVE-2026-25339", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:11:07.593Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25339", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T17:11:04.823749Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:10:58.524Z"}}], "cna": {"title": "WordPress Contact Form by WPForms plugin <= 1.9.8.7 - Sensitive Data Exposure vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Cid_Kagenou_Sama | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "affected": [{"vendor": "Syed Balkhi", "product": "Contact Form by WPForms", "versions": [{"status": "affected", "changes": [{"at": "1.9.9.2", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.9.8.7"}], "packageName": "wpforms-lite", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:18:22.338Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wpforms-lite/vulnerability/wordpress-contact-form-by-wpforms-plugin-1-9-8-7-sensitive-data-exposure-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Retrieve Embedded Sensitive Data.This issue affects Contact Form by WPForms: from n/a through <= 1.9.8.7.", "supportingMedia": [{"type": "text/html", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Retrieve Embedded Sensitive Data.<p>This issue affects Contact Form by WPForms: from n/a through <= 1.9.8.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-201", "description": "Insertion of Sensitive Information Into Sent Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:08.847Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25339", "state": "PUBLISHED", "dateUpdated": "2026-04-23T14:14:08.847Z", "dateReserved": "2026-02-02T12:52:37.307Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:41.799Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Retrieve Embedded Sensitive Data.This issue affects Contact Form by WPForms: from n/a through <= 1.9.8.7."}, {"lang": "es", "value": "Inserci\u00f3n de Informaci\u00f3n Sensible en Datos Enviados vulnerabilidad en Formulario de Contacto de Syed Balkhi de WPForms wpforms-lite permite Recuperar Datos Sensibles Incrustados. Este problema afecta a Formulario de Contacto de WPForms: desde n/d hasta &lt;= 1.9.8.7."}], "id": "CVE-2026-25339", "lastModified": "2026-04-29T10:16:54.530", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:44.520", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wpforms-lite/vulnerability/wordpress-contact-form-by-wpforms-plugin-1-9-8-7-sensitive-data-exposure-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.9.8.7]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "1.9.9.2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Contact Form by WPForms", "source": "cna", "vendor": "Syed Balkhi"}, "product": "contact_form_by_wpforms", "vendor": "syed_balkhi"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T18:45:11.403206+00:00", "value": {"mitigation_remediation": ["Upgrade Contact Form by WPForms to a version newer than 1.9.8.7 when it becomes available."], "summary": {"action": "Immediate Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "The affected product is Contact Form by WPForms provided by Syed Balkhi. All versions from the first release up through 1.9.8.7 are impacted. The plugin is commonly deployed on WordPress sites and is used to accept user submissions through contact forms.", "description_and_impact": "The vulnerability occurs when the WordPress Contact Form by WPForms plugin incorrectly inserts sensitive information into data that is sent through the form. This flaw allows an attacker to retrieve embedded sensitive data, exposing confidential information such as personal or financial details. It is a classic information\u2011exposure weakness as identified by CWE\u2011201, resulting in loss of data confidentiality and potential breach of privacy.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests that exploitation is unlikely but still possible. The vulnerability is not listed in CISA\u2019s KEV catalog. The attack vector is inferred to be through the web form interface; an attacker could craft or submit requests that trigger the plugin to expose sensitive data. Once successful, the attacker can read data that should remain confidential, increasing the risk for affected sites."}}}}, "created": "2026-03-25T21:34:01.786308+00:00", "updated": "2026-03-27T09:46:01.460012+00:00", "vendors": ["syed_balkhi", "syed_balkhi$PRODUCT$contact_form_by_wpforms", "wordpress", "wordpress$PRODUCT$wordpress"]}