Arbitrary File Copy Vulnerability in Contact Form Entries Plugin for WordPress
CVE-2026-9145
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 2 July 2026
What is CVE-2026-9145?
The Contact Form Entries plugin for WordPress is prone to a vulnerability that allows attackers to perform arbitrary file copying. This issue arises through the create_entry_el() function, which fails to validate the file inputs from Elementor Pro's Form_Record object. Attackers can leverage this flaw by sending a crafted POST request, where raw_value can reflect an attacker-controlled string, allowing unauthorized access to files on the server’s filesystem. Since the plugin directly utilizes PHP's copy() function without proper checks, this vulnerability poses serious risks, enabling file disclosure or potential further exploitation, especially when Elementor Pro is active.
Affected Version(s)
Database for Contact Form 7, WPforms, Elementor forms 0 <= 1.5.1