CVE-2025-63056

Root

Cause

The Contact Form by BestWebSoft plugin for WordPress suffers from a missing authorization vulnerability. The plugin fails to properly enforce access control checks on certain functions, allowing users with lower privileges to access actions reserved for higher-privileged users [1].

Exploitation

Attackers can exploit this broken access control by sending crafted requests to the vulnerable endpoints without needing any previous authentication or with minimal privileges. The vulnerability can be triggered remotely, potentially allowing unauthenticated users to perform actions that require higher permissions [1].

Impact

Successful exploitation could allow an attacker to bypass intended access restrictions, leading to unauthorized actions such as viewing, modifying, or deleting form submissions or settings. This may compromise the confidentiality and integrity of data collected through the contact form [1].

Mitigation

The vendor has released version 4.3.7 which fixes the missing authorization issue. Users are strongly advised to update their plugin to this version or later. For those unable to update immediately, temporary workarounds such as restricting access to the plugin's administrative pages via server-level rules may reduce risk [1].