Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
WordPress Plugins Can Be Hacked to Steal Form Data
CVE-2026-3831
Summary
If you use the Contact Form 7, WPforms, or Elementor forms plugin on your WordPress site, an attacker with high-level access can steal sensitive information like names, emails, and phone numbers from your forms. This affects all versions up to 1.4.9. Update the plugin to the latest version to fix the issue.
Original title
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the entries_shortcode() function in ...
Original description
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the entries_shortcode() function in all versions up to, and including, 1.4.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract all form submissions - including names, emails, phone numbers.
nvd CVSS3.1
4.3
Vulnerability type
CWE-862
Missing Authorization
Published: 1 Apr 2026 · Updated: 1 Apr 2026 · First seen: 1 Apr 2026