Unauthorized Data Access in Easy Form Builder Plugin for WordPress
CVE-2025-14067

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Easy Form Builder By Whitestudio — Drag & Drop Form Builder
Vendor: CVE Published:; 14 February 2026

What is CVE-2025-14067?

The Easy Form Builder plugin for WordPress has a vulnerability that allows authenticated users with Subscriber-level access and higher to access sensitive data. This occurs due to a missing capability check in various AJAX actions, resulting from a logic flaw in the authorization checks. Instead of using the correct logic operator, the plugin uses AND (&&) where OR (||) is necessary, thereby inadvertently permitting unauthorized data retrieval. Attackers can exploit this flaw to gain access to sensitive form response data, including messages and user information.

Affected Version(s)

Easy Form Builder by WhiteStudio — Drag & Drop Form Builder 0 <= 3.9.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/easy-form-buil...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 14, 2026
Vulnerability Reserved
Dec 4, 2025

Credit

Itthidej Aramsri

CVE-2025-14067 Data

JSON