Arbitrary File Copy Vulnerability in Contact Form Entries Plugin for WordPress
CVE-2026-9145

6.5MEDIUM

What is CVE-2026-9145?

The Contact Form Entries plugin for WordPress is prone to a vulnerability that allows attackers to perform arbitrary file copying. This issue arises through the create_entry_el() function, which fails to validate the file inputs from Elementor Pro's Form_Record object. Attackers can leverage this flaw by sending a crafted POST request, where raw_value can reflect an attacker-controlled string, allowing unauthorized access to files on the server’s filesystem. Since the plugin directly utilizes PHP's copy() function without proper checks, this vulnerability poses serious risks, enabling file disclosure or potential further exploitation, especially when Elementor Pro is active.

Affected Version(s)

Database for Contact Form 7, WPforms, Elementor forms 0 <= 1.5.1

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jonah Burgess (CryptoCat)
.