CRM Perks Database for Contact Form 7
Moderate fix1 remedy
cpe:2.3:a:crmperks:database_for_contact_form_7,_wpforms,_elementor_forms:*:*:*:*:*:*:*
Moderate fix1 remedy
- <= 1.4.9
Database for Contact Form 7, WPforms, Elementor Forms WordPress Plugin Missing Capability Check Vulnerability
Vulnerability
Patched
A vulnerability exists in the Database for Contact Form 7, WPforms, and Elementor Forms WordPress plugin, specifically in versions through 1.4.9. The issue arises from a missing capability check in the 'entries_shortcode()' function, allowing authenticated attackers with Contributor-level access or higher to access and extract all form submissions. This includes sensitive information such as names, email addresses, phone numbers, and other form data.
Impact
Exploitation of this vulnerability leads to unauthorized access and extraction of sensitive form submission data, including personal information such as names, email addresses, and phone numbers.
Reproduction
To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can use the 'vx-entries' shortcode without the necessary capability to access the form entries. This will trigger the 'entries_shortcode()' function, which lacks proper authorization checks, allowing the user to retrieve all form submissions along with the associated personal data.
Remediation
Users are advised to update the Database for Contact Form 7, WPforms, Elementor Forms WordPress plugin to version 1.5.0 or a newer patched version.
Added: Apr 1, 2026, 2:22 AM
Updated: Apr 1, 2026, 2:22 AM
Vulnerability Rating
Custom Algorithm
spread
3.4impact
2.5exploitability
6.4remediation
7.7relevance
5.1threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.