Unauthenticated Access Control Flaw in WPForms by WPForms
CVE-2026-48835

7.5HIGH

Key Information:

Vendor: WordPress
Status: Contact Form By WPforms
Vendor: CVE Published:; 15 June 2026

What is CVE-2026-48835?

An access control vulnerability exists in the Contact Form by WPForms plugin versions up to 1.10.0.4, allowing unauthenticated users to exploit functionality and gain access to sensitive areas of the application. This issue emphasizes the necessity for robust security measures to safeguard WordPress environments against unauthorized access.

Affected Version(s)

Contact Form by WPForms <= 1.10.0.4

References

https://patchstack.com/database/wordpress/plugin/wpforms-...

vdb-entry

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 15, 2026
Vulnerability Reserved
May 25, 2026

Credit

Cyrille COQUARD | Patchstack Bug Bounty Program

CVE-2026-48835 Data

JSON