cleantalk
Vulnerabilities and Security Researches

Database for Contact Form 7, WPforms, Elementor forms, CVE-2026-0825

CVE, Research URL

CVE-2026-0825

Home page URL

Security reports for Database for Contact Form 7, WPforms, Elementor forms

Application

Database for Contact Form 7, WPforms, Elementor forms

Published on
Jan 28, 2026
Research Description
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the CSV export functionality in all versions up to, and including, 1.4.5. This makes it possible for unauthenticated attackers to download sensitive form submission data containing personally identifiable information (PII) by accessing the CSV export endpoint with an export key that is exposed in publicly accessible page source code. The vulnerability is created because while the shortcode properly filters displayed entries by user, the CSV export handler completely bypasses this filtering and exports all entries regardless of user permissions.
Affected versions
max 1.4.6.
Status
vulnerable
Previous vulnerability researches
Doofinder WP & WooCommerce Search (CVE-2023-40602) , Jun 07, 2024
Doofinder WP & WooCommerce Search (CVE-2023-49185) , Jun 07, 2024
Doofinder WP & WooCommerce Search (CVE-2023-51678) , Jun 07, 2024
Doofinder WP & WooCommerce Search (CVE-2024-25596) , Jun 07, 2024
Doofinder WP & WooCommerce Search (CVE-2026-39542) , Apr 14, 2026
New vulnerability
EmailKit -WooCommerce Email Customizer (CVE-2026-1925) , Apr 15, 2026
Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce (CVE-2026-1651) , Apr 15, 2026
Contact Form builder with drag & drop for WordPress – Kali Forms (CVE-2026-1860) , Apr 15, 2026
Related Posts by Taxonomy (CVE-2026-0916) , Apr 15, 2026
Ivory Search – WordPress Search Plugin (CVE-2026-1053) , Apr 15, 2026