{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32446", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:11:35.694Z", "datePublished": "2026-03-13T11:42:20.527Z", "dateUpdated": "2026-04-29T09:51:59.635Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wpforms-lite", "product": "Contact Form by WPForms", "vendor": "Syed Balkhi", "versions": [{"changes": [{"at": "1.9.9.4", "status": "unaffected"}], "lessThanOrEqual": "1.9.9.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "davidfdzmorilla | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:06:13.891Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Contact Form by WPForms: from n/a through <= 1.9.9.3.</p>"}], "value": "Missing Authorization vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through <= 1.9.9.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:59.635Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wpforms-lite/vulnerability/wordpress-contact-form-by-wpforms-plugin-1-9-9-3-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Contact Form by WPForms plugin <= 1.9.9.3 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T15:33:03.355446Z", "id": "CVE-2026-32446", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T15:33:27.342Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32446", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T15:33:03.355446Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T15:32:03.739Z"}}], "cna": {"title": "WordPress Contact Form by WPForms plugin <= 1.9.9.3 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "davidfdzmorilla | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Syed Balkhi", "product": "Contact Form by WPForms", "versions": [{"status": "affected", "changes": [{"at": "1.9.9.4", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.9.9.3"}], "packageName": "wpforms-lite", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:06:13.891Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wpforms-lite/vulnerability/wordpress-contact-form-by-wpforms-plugin-1-9-9-3-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through <= 1.9.9.3.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Contact Form by WPForms: from n/a through <= 1.9.9.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:59.635Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32446", "state": "PUBLISHED", "dateUpdated": "2026-04-29T09:51:59.635Z", "dateReserved": "2026-03-12T11:11:35.694Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-13T11:42:20.527Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through <= 1.9.9.3."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en el formulario de contacto de Syed Balkhi por WPForms wpforms-lite permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Contact Form by WPForms: desde n/a hasta &lt;= 1.9.9.3."}], "id": "CVE-2026-32446", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-13T19:55:05.290", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wpforms-lite/vulnerability/wordpress-contact-form-by-wpforms-plugin-1-9-9-3-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.9.9.3]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "1.9.9.4"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Contact Form by WPForms", "source": "cna", "vendor": "Syed Balkhi"}, "product": "contact_form_by_wpforms", "vendor": "syed_balkhi"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T15:12:21.277050+00:00", "value": {"mitigation_remediation": ["Update the Contact Form by WPForms plugin to a version newer than 1.9.9.3.", "Verify that the plugin\u2019s access control settings reflect the intended user permissions after the update.", "Monitor site logs for any unusual access attempts to the plugin\u2019s configuration pages."], "summary": {"action": "Upgrade Plugin", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "Affected systems are installations of the Contact Form by WPForms plugin from the vendor Syed Balkhi. All releases from the earliest available version up to and including 1.9.9.3 are impacted. The plugin is distributed as wpforms-lite for WordPress.", "description_and_impact": "This vulnerability is a missing authorization flaw that allows an attacker to tamper with the WordPress Contact Form by WPForms plugin\u2019s settings. The flaw stems from incorrectly configured access control security levels, enabling unauthorized modification or retrieval of form data and configuration. The exploit can lead to data exposure or alteration of contact form behavior, directly compromising the confidentiality and integrity of data handled by the form.", "risk_and_exploitability": "The CVSS score of 4.3 reflects a medium severity level, while the EPSS score of less than 1% indicates a low exploit probability at this time. The vulnerability is not listed in CISA\u2019s KEV catalog. The typical attack vector is inferred to be remote via the WordPress web interface, requiring no special credentials. However, such inference is drawn from the plugin\u2019s web-based nature rather than explicit data in the description. Given the low scores but potential for unauthorized data modification, administrators should consider this a priority for remediation."}}}}, "created": "2026-03-16T09:33:20.224701+00:00", "updated": "2026-03-23T12:03:19.456949+00:00", "vendors": ["syed_balkhi", "syed_balkhi$PRODUCT$contact_form_by_wpforms", "wordpress", "wordpress$PRODUCT$wordpress"]}