CVE-2026-48835: WordPress Contact Form by WPForms plugin <= 1.10.0.4 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in Contact Form by WPForms <= 1.10.0.4 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a broken access control vulnerability in the Contact Form by WPForms WordPress plugin, affecting versions 1.10.0.4 and earlier. The flaw is reachable over the network with no authentication required and no user interaction needed, meaning any external attacker can trigger the vulnerable code path directly. Successful exploitation allows an attacker to tamper with data, achieving high integrity impact on the affected system. No fix version has been published yet; HarborGuard tracks the upstream advisory and will make a patched rebuild available as soon as one is released.
HarborGuard Coverage
Detection for CVE-2026-48835 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, covering both third-party and custom-built images that bundle the WPForms plugin. Any image found to carry the affected plugin version at or below 1.10.0.4 is flagged automatically in the customer's pipeline.
AvailableHarborGuard is capable of scoring this finding at CVSS 7.5 (HIGH) and weighting it against each environment's compliance policy to reflect local risk tolerance. Routing to the appropriate team inbox within each customer organization is available based on policy-defined ownership rules.
AvailableNo fix version has been published upstream for CVE-2026-48835; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Awesomemotive releases a remediated version of the plugin. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress installation.
- AuthenticationNot required
No account or credentials of any privilege level are needed to reach the vulnerable code path.
- Victim interactionNot required
The attack is fully automated and does not require any action from an administrator or site visitor.
- Attack complexityDetail
Exploitation is reliable and condition-free, with no race conditions or special environmental factors required.
Blast Radius
- An attacker can modify form data, form configurations, or other persisted plugin state without holding any account on the site.
- Because access controls are bypassed entirely, the attacker may be able to alter or delete contact form submissions or plugin settings.
- Integrity of data managed by the WPForms plugin is fully compromised; confidentiality and availability of the broader WordPress installation are not directly affected by this vector.
How HarborGuard Handles This
Available on HarborGuard: detection for this CVE is active and matched against all customer images carrying the WPForms plugin at the affected version range. Because no upstream fix exists yet, HarborGuard monitors the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild the moment a remediated version is published. In the interim, compensating controls worth considering include network-policy rules that restrict unauthenticated external access to WordPress admin and plugin endpoints, web application firewall rules that block unexpected parameter manipulation against WPForms routes, and disabling or removing the plugin from images where the form functionality is not strictly needed. For customers with auto-remediation enabled, the full rebuild, regression run, and PR flow will execute automatically once a fix version becomes available, with no manual intervention required.
- Awesomemotive / Contact Form by WPForms≤ 1.10.0.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N