CVE-2026-32483

Contact Form Email <= 1.3.63 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.3.64
Patched in
44d
Time to patch

Description

The Contact Form Email plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.3.63. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.3.63
PublishedMarch 23, 2026
Last updatedMay 5, 2026
Affected plugincontact-form-to-email

What Changed in the Fix

Changes introduced in v1.3.64

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-32483 (Contact Form Email) ## 1. Vulnerability Summary The **Contact Form Email** plugin (versions <= 1.3.63) is vulnerable to **Missing Authorization**. Specifically, the AJAX handler `handle_email_diagnostic_ajax` and the initialization function `data_manage…

Show full research plan

Exploitation Research Plan: CVE-2026-32483 (Contact Form Email)

1. Vulnerability Summary

The Contact Form Email plugin (versions <= 1.3.63) is vulnerable to Missing Authorization. Specifically, the AJAX handler handle_email_diagnostic_ajax and the initialization function data_management_loaded lack sufficient capability checks. This allows an authenticated attacker with Subscriber-level privileges to perform unauthorized actions, such as sending arbitrary diagnostic emails or potentially modifying/deleting form data.

The vulnerability exists because these functions are registered within the is_admin() block in form-to-email.php, and is_admin() returns true for all logged-in users when they access the WordPress dashboard (including wp-admin/profile.php or wp-admin/admin-ajax.php).

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: run_email_diagnostic
  • Parameters:
    • action: run_email_diagnostic
    • to: The target email address for the diagnostic (inferred)
    • nonce: A security nonce (required, but accessible to Subscribers)
  • Authentication: Subscriber-level account is required (PR:L).
  • Preconditions: The attacker must be logged into the WordPress site.

3. Code Flow

  1. Entry Point: A
Research Findings
Static analysis — not yet PoC-verified

Summary

The Contact Form Email plugin for WordPress is vulnerable to unauthorized access in versions up to 1.3.63 due to missing capability checks on several functions. This allows authenticated attackers with Subscriber-level privileges to perform unauthorized actions such as triggering diagnostic email tests or accessing form submission data.

Vulnerable Code

// form-to-email.php lines 95-102
if ( is_admin() ) {    
    add_action('admin_enqueue_scripts', array($cp_cfte_plugin,'insert_adminScripts'), 1);    
    add_filter("plugin_action_links_".plugin_basename(__FILE__), array($cp_cfte_plugin,'plugin_page_links'));   
    add_action('admin_menu', array($cp_cfte_plugin,'admin_menu') );
    add_action('enqueue_block_editor_assets', array($cp_cfte_plugin,'gutenberg_block') );
    add_action('wp_loaded', array($cp_cfte_plugin, 'data_management_loaded') );
    add_action('wp_ajax_run_email_diagnostic',  array($cp_cfte_plugin, 'handle_email_diagnostic_ajax') );
}

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/contact-form-to-email/1.3.63/cp-main-class.inc.php /home/deploy/wp-safety.org/data/plugin-versions/contact-form-to-email/1.3.64/cp-main-class.inc.php
--- /home/deploy/wp-safety.org/data/plugin-versions/contact-form-to-email/1.3.63/cp-main-class.inc.php	2026-02-03 18:36:44.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/contact-form-to-email/1.3.64/cp-main-class.inc.php	2026-02-16 15:47:08.000000000 +0000
@@ -530,29 +530,8 @@
 
     public function settings_page() {
         global $wpdb;
-        if ($this->get_param("cal") || $this->get_param("cal") == '0' || $this->get_param("pwizard") == '1')
-        {
-            $this->item = intval($this->get_param("cal"));
-            if (isset($_GET["edit"]) && $_GET["edit"] == '1')
-                @include_once __DIR__ . '/cp_admin_int_edition.inc.php';
-            else if ($this->get_param("list") == '1')
-                @include_once __DIR__ . '/cp-admin-int-message-list.inc.php';
-            else if ($this->get_param("edititem"))
-                @include_once __DIR__ . '/cp-admin-int-edit-booking.inc.php';            
-            else if ($this->get_param("addbk") == '1')
-                @include_once __DIR__ . '/cp-admin-int-add-booking.inc.php';
-            else if ($this->get_param("report") == '1')
-                @include_once __DIR__ . '/cp-admin-int-report.inc.php';
-            else if ($this->get_param("pwizard") == '1')
-            {
-                if ($this->get_param("cal"))
-                    $this->item = intval($this->get_param("cal"));
-                @include_once __DIR__ . '/cp-publish-wizzard.inc.php';
-            }
-            else
-                @include_once __DIR__ . '/cp-admin-int.inc.php';
-        }
-        else if ($this->get_param("page") == $this->menu_parameter.'_reftracking')
+        
+        if ($this->get_param("page") == $this->menu_parameter.'_reftracking')
         {
             if (class_exists('CP_REFTRACK_Plugin'))
                 echo("Redirecting to referral report...<script type='text/javascript'>document.location='?page=cp_reftrack';</script>");
@@ -579,6 +558,28 @@
         {
             echo("Redirecting to demo page...<script type='text/javascript'>document.location='https://wordpress.org/support/plugin/contact-form-to-email#new-post';</script>");
             exit;
+        } 
+        else if ($this->get_param("cal") || $this->get_param("cal") == '0' || $this->get_param("pwizard") == '1')
+        {
+            $this->item = intval($this->get_param("cal"));
+            if (isset($_GET["edit"]) && $_GET["edit"] == '1')
+                @include_once __DIR__ . '/cp_admin_int_edition.inc.php';
+            else if ($this->get_param("list") == '1')
+                @include_once __DIR__ . '/cp-admin-int-message-list.inc.php';
+            else if ($this->get_param("edititem"))
+                @include_once __DIR__ . '/cp-admin-int-edit-booking.inc.php';            
+            else if ($this->get_param("addbk") == '1')
+                @include_once __DIR__ . '/cp-admin-int-add-booking.inc.php';
+            else if ($this->get_param("report") == '1')
+                @include_once __DIR__ . '/cp-admin-int-report.inc.php';
+            else if ($this->get_param("pwizard") == '1')
+            {
+                if ($this->get_param("cal"))
+                    $this->item = intval($this->get_param("cal"));
+                @include_once __DIR__ . '/cp-publish-wizzard.inc.php';
+            }
+            else
+                @include_once __DIR__ . '/cp-admin-int.inc.php';
         }
         else
             @include_once __DIR__ . '/cp-admin-int-list.inc.php';
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/contact-form-to-email/1.3.63/form-to-email.php /home/deploy/wp-safety.org/data/plugin-versions/contact-form-to-email/1.3.64/form-to-email.php
--- /home/deploy/wp-safety.org/data/plugin-versions/contact-form-to-email/1.3.63/form-to-email.php	2026-02-03 18:36:44.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/contact-form-to-email/1.3.64/form-to-email.php	2026-02-16 15:47:08.000000000 +0000
@@ -3,7 +3,7 @@
 Plugin Name: Contact Form Email
 Plugin URI: https://form2email.dwbooster.com/download
 Description: Contact form that sends the data to email and also to a database list and CSV file.
-Version: 1.3.63
+Version: 1.3.64
 Author: CodePeople
 Author URI: https://form2email.dwbooster.com
 Text Domain: contact-form-to-email

Exploit Outline

An authenticated attacker with Subscriber-level access can exploit this vulnerability by sending a request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) with the action 'run_email_diagnostic'. Because the plugin registers the AJAX handler within an is_admin() check but fails to verify specific user capabilities (like 'manage_options') inside the handler, any logged-in user can trigger the functionality. The attacker can potentially send arbitrary diagnostic emails to specified addresses or manipulate internal data management tasks triggered via the 'wp_loaded' hook.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.