Contact Form Email <= 1.3.63 - Missing Authorization
Description
The Contact Form Email plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.3.63. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.3.63What Changed in the Fix
Changes introduced in v1.3.64
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-32483 (Contact Form Email) ## 1. Vulnerability Summary The **Contact Form Email** plugin (versions <= 1.3.63) is vulnerable to **Missing Authorization**. Specifically, the AJAX handler `handle_email_diagnostic_ajax` and the initialization function `data_manage…
Show full research plan
Exploitation Research Plan: CVE-2026-32483 (Contact Form Email)
1. Vulnerability Summary
The Contact Form Email plugin (versions <= 1.3.63) is vulnerable to Missing Authorization. Specifically, the AJAX handler handle_email_diagnostic_ajax and the initialization function data_management_loaded lack sufficient capability checks. This allows an authenticated attacker with Subscriber-level privileges to perform unauthorized actions, such as sending arbitrary diagnostic emails or potentially modifying/deleting form data.
The vulnerability exists because these functions are registered within the is_admin() block in form-to-email.php, and is_admin() returns true for all logged-in users when they access the WordPress dashboard (including wp-admin/profile.php or wp-admin/admin-ajax.php).
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
run_email_diagnostic - Parameters:
action:run_email_diagnosticto: The target email address for the diagnostic (inferred)nonce: A security nonce (required, but accessible to Subscribers)
- Authentication: Subscriber-level account is required (
PR:L). - Preconditions: The attacker must be logged into the WordPress site.
3. Code Flow
- Entry Point: A
Summary
The Contact Form Email plugin for WordPress is vulnerable to unauthorized access in versions up to 1.3.63 due to missing capability checks on several functions. This allows authenticated attackers with Subscriber-level privileges to perform unauthorized actions such as triggering diagnostic email tests or accessing form submission data.
Vulnerable Code
// form-to-email.php lines 95-102 if ( is_admin() ) { add_action('admin_enqueue_scripts', array($cp_cfte_plugin,'insert_adminScripts'), 1); add_filter("plugin_action_links_".plugin_basename(__FILE__), array($cp_cfte_plugin,'plugin_page_links')); add_action('admin_menu', array($cp_cfte_plugin,'admin_menu') ); add_action('enqueue_block_editor_assets', array($cp_cfte_plugin,'gutenberg_block') ); add_action('wp_loaded', array($cp_cfte_plugin, 'data_management_loaded') ); add_action('wp_ajax_run_email_diagnostic', array($cp_cfte_plugin, 'handle_email_diagnostic_ajax') ); }
Security Fix
@@ -530,29 +530,8 @@ public function settings_page() { global $wpdb; - if ($this->get_param("cal") || $this->get_param("cal") == '0' || $this->get_param("pwizard") == '1') - { - $this->item = intval($this->get_param("cal")); - if (isset($_GET["edit"]) && $_GET["edit"] == '1') - @include_once __DIR__ . '/cp_admin_int_edition.inc.php'; - else if ($this->get_param("list") == '1') - @include_once __DIR__ . '/cp-admin-int-message-list.inc.php'; - else if ($this->get_param("edititem")) - @include_once __DIR__ . '/cp-admin-int-edit-booking.inc.php'; - else if ($this->get_param("addbk") == '1') - @include_once __DIR__ . '/cp-admin-int-add-booking.inc.php'; - else if ($this->get_param("report") == '1') - @include_once __DIR__ . '/cp-admin-int-report.inc.php'; - else if ($this->get_param("pwizard") == '1') - { - if ($this->get_param("cal")) - $this->item = intval($this->get_param("cal")); - @include_once __DIR__ . '/cp-publish-wizzard.inc.php'; - } - else - @include_once __DIR__ . '/cp-admin-int.inc.php'; - } - else if ($this->get_param("page") == $this->menu_parameter.'_reftracking') + + if ($this->get_param("page") == $this->menu_parameter.'_reftracking') { if (class_exists('CP_REFTRACK_Plugin')) echo("Redirecting to referral report...<script type='text/javascript'>document.location='?page=cp_reftrack';</script>"); @@ -579,6 +558,28 @@ { echo("Redirecting to demo page...<script type='text/javascript'>document.location='https://wordpress.org/support/plugin/contact-form-to-email#new-post';</script>"); exit; + } + else if ($this->get_param("cal") || $this->get_param("cal") == '0' || $this->get_param("pwizard") == '1') + { + $this->item = intval($this->get_param("cal")); + if (isset($_GET["edit"]) && $_GET["edit"] == '1') + @include_once __DIR__ . '/cp_admin_int_edition.inc.php'; + else if ($this->get_param("list") == '1') + @include_once __DIR__ . '/cp-admin-int-message-list.inc.php'; + else if ($this->get_param("edititem")) + @include_once __DIR__ . '/cp-admin-int-edit-booking.inc.php'; + else if ($this->get_param("addbk") == '1') + @include_once __DIR__ . '/cp-admin-int-add-booking.inc.php'; + else if ($this->get_param("report") == '1') + @include_once __DIR__ . '/cp-admin-int-report.inc.php'; + else if ($this->get_param("pwizard") == '1') + { + if ($this->get_param("cal")) + $this->item = intval($this->get_param("cal")); + @include_once __DIR__ . '/cp-publish-wizzard.inc.php'; + } + else + @include_once __DIR__ . '/cp-admin-int.inc.php'; } else @include_once __DIR__ . '/cp-admin-int-list.inc.php'; @@ -3,7 +3,7 @@ Plugin Name: Contact Form Email Plugin URI: https://form2email.dwbooster.com/download Description: Contact form that sends the data to email and also to a database list and CSV file. -Version: 1.3.63 +Version: 1.3.64 Author: CodePeople Author URI: https://form2email.dwbooster.com Text Domain: contact-form-to-email
Exploit Outline
An authenticated attacker with Subscriber-level access can exploit this vulnerability by sending a request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) with the action 'run_email_diagnostic'. Because the plugin registers the AJAX handler within an is_admin() check but fails to verify specific user capabilities (like 'manage_options') inside the handler, any logged-in user can trigger the functionality. The attacker can potentially send arbitrary diagnostic emails to specified addresses or manipulate internal data management tasks triggered via the 'wp_loaded' hook.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.