{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40764", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-15T09:20:32.456Z", "datePublished": "2026-04-15T10:21:35.430Z", "dateUpdated": "2026-04-15T10:21:35.430Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wpforms-lite", "product": "Contact Form by WPForms", "vendor": "Syed Balkhi", "versions": [{"changes": [{"at": "1.10.0.3", "status": "unaffected"}], "lessThanOrEqual": "1.10.0.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "vladimir tokarev | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-15T12:20:45.256Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Cross Site Request Forgery.<p>This issue affects Contact Form by WPForms: from n/a through <= 1.10.0.2.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Cross Site Request Forgery.This issue affects Contact Form by WPForms: from n/a through <= 1.10.0.2."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-15T10:21:35.430Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wpforms-lite/vulnerability/wordpress-contact-form-by-wpforms-plugin-1-10-0-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "title": "WordPress Contact Form by WPForms plugin <= 1.10.0.2 - Cross Site Request Forgery (CSRF) vulnerability"}}}

{}

{}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.10.0.2]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[1.10.0.3,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Contact Form by WPForms", "source": "cna", "vendor": "Syed Balkhi"}, "product": "contact_form_by_wpforms", "vendor": "syed_balkhi"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T11:50:42.877960+00:00", "value": {"mitigation_remediation": ["Update the Contact Form by WPForms plugin to a release newer than 1.10.0.2 to apply the vendor patch that restores CSRF protection.", "Enable or confirm the plugin\u2019s internal CSRF protection controls\u2014ensure that form submissions require a valid nonce or token before processing.", "For critical or high\u2011value sites, temporarily disable the plugin or restrict administrator access to form configuration until the patched version is installed."], "summary": {"action": "Upgrade Plugin", "impact": "Untrusted form submissions via CSRF"}, "threat_synthesis": {"affected_systems": "The issue affects installations of the WordPress plugin Contact Form by WPForms from Syed Balkhi, including any version through 1.10.0.2. Any WordPress site that has this plugin installed and runs a vulnerable version is susceptible. No specific operating\u2011system or PHP version constraints are listed.", "description_and_impact": "The vulnerability is a Cross\u2011Site Request Forgery flaw that permits an attacker to compel an authenticated user of a WordPress site to send arbitrary form submissions or alter form settings. By exploiting the missing CSRF token validation, an attacker can trigger unintended actions that compromise the integrity and confidentiality of user data or website configuration. The weakness corresponds to CWE\u2011352, which concerns lacking protection against cross\u2011site request forgery.", "risk_and_exploitability": "The CVSS score is not provided, and the EPSS score is unavailable. This vulnerability is not listed in the KEV catalog. Exploitation requires an attacker to lure an authenticated user to a crafted URL or form, making the attack vector HTTP. Because no active exploitation code is reported and the defect plays on authenticated sessions, the risk is moderate, but sites with high\u2011value content or exposed configuration panels should prioritize remediation."}}}}, "created": "2026-04-15T13:38:17.786294+00:00", "updated": "2026-04-15T13:44:58.882341+00:00", "vendors": ["syed_balkhi", "syed_balkhi$PRODUCT$contact_form_by_wpforms", "wordpress", "wordpress$PRODUCT$wordpress"]}