{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32483", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:11:55.347Z", "datePublished": "2026-03-25T16:14:57.726Z", "dateUpdated": "2026-03-25T16:14:57.726Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "contact-form-to-email", "product": "Contact Form Email", "vendor": "codepeople", "versions": [{"changes": [{"at": "1.3.64", "status": "unaffected"}], "lessThanOrEqual": "<= 1.3.63", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "huli07 | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:36.540Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Contact Form Email: from n/a through <= 1.3.63.</p>"}], "value": "Missing Authorization vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.63."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:57.726Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/contact-form-to-email/vulnerability/wordpress-contact-form-email-plugin-1-3-63-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Contact Form Email plugin <= 1.3.63 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.63."}], "id": "CVE-2026-32483", "lastModified": "2026-03-25T17:16:59.323", "metrics": {}, "published": "2026-03-25T17:16:59.323", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/contact-form-to-email/vulnerability/wordpress-contact-form-email-plugin-1-3-63-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.63]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[1.3.64,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Contact Form Email", "source": "cna", "vendor": "codepeople"}, "product": "contact_form_email", "vendor": "codepeople"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T18:37:47.885486+00:00", "value": {"mitigation_remediation": ["Upgrade the Contact Form Email plugin to the latest version, which is 1.3.64 or later, as it resolves the authorization flaw.", "If an immediate upgrade is not possible, restrict access to the plugin\u2019s administrative interface by applying WordPress role\u2011based restrictions or by limiting access to the corresponding URLs via .htaccess or a firewall rule.", "Monitor the site for suspicious activity such as unexpected configuration changes or unusual form submissions that may indicate exploitation."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access / Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The issue affects the WordPress Contact Form Email plugin, offered by codepeople under the product name Contact Form Email (\"contact\u2011form\u2011to\u2011email\"). All installations using any release up to and including version 1.3.63 are considered vulnerable. No specific operating system or WordPress version constraints are listed, implying the problem is present in every WordPress site running the affected plugin.", "description_and_impact": "The vulnerability is an authorization flaw in the Contact Form Email plugin that fails to enforce proper access control. An attacker can gain unauthorized rights to view or manipulate the plugin\u2019s settings and messages, potentially leaking sensitive user data or modifying how forms are processed. This flaw can be exploited by sending crafted HTTP requests to the plugin\u2019s administrative endpoints, allowing the attacker to bypass the intended permissions. The flaw is rooted in CWE\u2011862.", "risk_and_exploitability": "The CVSS score is not provided, but the missing authorization flaw has a moderate to high potential impact. EPSS data are unavailable and the vulnerability is not listed in the CISA KEV catalog, suggesting no widely known public exploits yet. However, because the plugin functions over the web, a web\u2011based attacker can attempt to exploit the vulnerability readily if the website does not enforce role restrictions on administrative pages. Administrators should consider the possibility of privilege escalation and the potential for data exposure."}}}}, "created": "2026-03-25T21:43:43.224341+00:00", "updated": "2026-03-26T11:37:42.256862+00:00", "vendors": ["codepeople", "codepeople$PRODUCT$contact_form_email", "wordpress", "wordpress$PRODUCT$wordpress"]}