High severity7.5NVD Advisory· Published Jun 15, 2026· Updated Jun 15, 2026

CVE-2026-48835

Description

Unauthenticated broken access control in Contact Form by WPForms (<=1.10.0.4) allows unprivileged users to perform privileged actions, exploited in mass campaigns.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated broken access control in Contact Form by WPForms (<=1.10.0.4) allows unprivileged users to perform privileged actions, exploited in mass campaigns.

Vulnerability

A broken access control vulnerability exists in the Contact Form by WPForms plugin for WordPress, affecting versions up to and including 1.10.0.4. The issue stems from missing authorization or nonce token checks in certain functions, enabling unauthenticated users to access or execute actions intended for higher-privileged users [1].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted requests to the vulnerable plugin endpoints. No authentication or prior knowledge is required, and the attack can be scaled to target thousands of websites simultaneously [1].

Impact

Successful exploitation allows an attacker to perform privileged actions without authorization, potentially leading to unauthorized data access, modification of form configurations, or other administrative capabilities. The vulnerability is actively used in mass-exploit campaigns, posing a significant risk to any site running the plugin [1].

Mitigation

Official patch: upgrade to version 1.10.0.5 or later immediately. The update restores proper access control checks. Users unable to update immediately should consider disabling the plugin or contacting their hosting provider for assistance. Auto-update can be enabled for vulnerable plugins via Patchstack [1].

References

Broken Access Control in WordPress Contact Form by WPForms Plugin

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Wpforms Liteinferred2 versions
<=1.10.0.4+ 1 more
- (no CPE)range: <=1.10.0.4
- (no CPE)range: <=1.10.0.4
Package: https://wordpress.org/plugins/wpforms-lite

Patches

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

patchstack.com/database/wordpress/plugin/wpforms-lite/vulnerability/wordpress-contact-form-by-wpforms-plugin-1-10-0-4-broken-access-control-vulnerabilitynvd

News mentions

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 25, 2026 to May 31, 2026)
Wordfence Blog · Jun 4, 2026

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000