CVE-2026-32483

Vulnerability

Overview The Contact Form Email plugin for WordPress (versions up to and including 1.3.63) contains a missing authorization vulnerability. This broken access control issue means that certain functions lack proper permission checks, nonce tokens, or authentication requirements, allowing unprivileged users to execute actions that should be restricted [1].

Exploitation

An attacker can exploit this vulnerability without needing any prior authentication or elevated privileges. The flaw is classified as a broken access control problem, which can be triggered remotely over the network. Given the plugin's widespread use, this vulnerability is expected to be targeted in mass-exploit campaigns, affecting thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation could allow an attacker to perform unauthorized actions within the plugin's functionality, potentially leading to data exposure or further compromise of the WordPress installation. The CVSS v3 base score is 6.5 (Medium), reflecting the moderate severity but high likelihood of exploitation due to the low attack complexity and network attack vector [1].

Mitigation

The vulnerability has been patched in version 1.3.64 of the plugin. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a mitigation rule to block attacks until the update can be applied. Hosting providers or web developers can assist with the update process [1].