CVE-2025-3912
📋 TL;DR
This vulnerability allows unauthenticated attackers to read sensitive configuration data from the WS Form LITE WordPress plugin, including API keys for integrated services. All WordPress sites using this plugin up to version 1.10.35 are affected. Attackers can exploit this without any authentication.
💻 Affected Systems
- WS Form LITE – Drag & Drop Contact Form Builder for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal API keys for integrated services (like email, payment, or cloud services), leading to data breaches, financial fraud, or service abuse. They could also gather configuration details to plan further attacks.
Likely Case
Attackers exfiltrate API keys and sensitive plugin settings, potentially compromising connected services or using the information for reconnaissance.
If Mitigated
With proper network segmentation and API key rotation, impact is limited to information disclosure without direct system compromise.
🎯 Exploit Status
Exploitation requires sending a crafted HTTP request to the vulnerable endpoint. No authentication or special privileges needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.10.36 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3280355/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WS Form LITE' and click 'Update Now'. 4. Verify the plugin version is 1.10.36 or higher.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched.
wp plugin deactivate ws-form
Web Application Firewall Rule
allBlock requests to the vulnerable API endpoint.
Add WAF rule to block: /wp-json/ws-form/v1/config
🧯 If You Can't Patch
- Rotate all API keys stored in the plugin configuration immediately.
- Implement network-level restrictions to limit access to the WordPress admin and API endpoints.
🔍 How to Verify
Check if Vulnerable:
Check the plugin version in WordPress admin under Plugins > Installed Plugins. If version is 1.10.35 or lower, the system is vulnerable.Check Version:
wp plugin get ws-form --field=versionVerify Fix Applied:
After updating, confirm the plugin version is 1.10.36 or higher in the WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to /wp-json/ws-form/v1/config from unauthenticated users
- Unusual GET requests to WordPress REST API endpoints
Network Indicators:
- Unusual outbound traffic to external services using potentially stolen API keys
SIEM Query:
source="wordpress.log" AND uri="/wp-json/ws-form/v1/config" AND http_status=200 AND user="-"🔗 References
- https://plugins.trac.wordpress.org/browser/ws-form/trunk/api/class-ws-form-api.php
- https://plugins.trac.wordpress.org/browser/ws-form/trunk/includes/class-ws-form-common.php
- https://plugins.trac.wordpress.org/browser/ws-form/trunk/includes/class-ws-form-config.php
- https://plugins.trac.wordpress.org/browser/ws-form/trunk/ws-form.php
- https://plugins.trac.wordpress.org/changeset/3280355/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3f6058e2-a5ec-43b2-9cb7-9efcf0853ffc?source=cve
