CVE-2025-10019
📋 TL;DR
This CVE describes an authorization bypass vulnerability in the Contact Form Email WordPress plugin where attackers can access or manipulate data by controlling object references. It affects all WordPress sites running Contact Form Email plugin versions up to and including 1.3.60.
💻 Affected Systems
- Contact Form Email WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive form submissions, modify plugin settings, or potentially access other WordPress data through IDOR exploitation.
Likely Case
Unauthorized access to form submission data containing PII, contact information, or other sensitive user-provided content.
If Mitigated
Limited impact with proper access controls, but still exposes form data to unauthorized users.
🎯 Exploit Status
Exploitation requires some user access but minimal technical skill. The vulnerability is well-documented in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.61 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Find 'Contact Form Email' plugin
4. Click 'Update Now' if update available
5. Alternatively, download version 1.3.61+ from WordPress repository and manually update
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate contact-form-to-email
Access Restriction
allRestrict access to WordPress admin and affected endpoints
🧯 If You Can't Patch
- Disable the Contact Form Email plugin immediately
- Implement web application firewall rules to block IDOR exploitation patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for Contact Form Email versionCheck Version:
wp plugin get contact-form-to-email --field=versionVerify Fix Applied:
Verify plugin version is 1.3.61 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to contact form endpoints
- Multiple failed authorization attempts on plugin admin pages
- Access to form submission data from unexpected IPs
Network Indicators:
- HTTP requests manipulating object IDs in URLs
- Unusual parameter patterns in POST/GET requests to contact form endpoints
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path CONTAINS "contact-form-to-email") AND (query_string CONTAINS "action=" OR query_string CONTAINS "id=")