CVE-2025-3912
WS Form LITE – Drag & Drop Contact Form Builder for WordPress <= 1.10.35 - Missing Authorization to Unauthenticated Sensitive Information Exposure
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
The WS Form LITE – Drag & Drop Contact Form Builder for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_config' function in all versions up to, and including, 1.10.35. This makes it possible for unauthenticated attackers to read the value of the plugin's settings, including API keys for integrated services.
| CWE | CWE-862 |
| Vendor | westguard |
| Product | ws form lite – drag & drop contact form builder |
| Published | Apr 25, 2025 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for westguard ws form lite – drag & drop contact form builder
Be the first to know when new medium vulnerabilities affecting westguard ws form lite – drag & drop contact form builder are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
westguard / WS Form LITE – Drag & Drop Contact Form Builder
0 ≤ 1.10.35
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/3f6058e2-a5ec-43b2-9cb7-9efcf0853ffc?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/ws-form/trunk/ws-form.php plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/ws-form/trunk/api/class-ws-form-api.php plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/ws-form/trunk/includes/class-ws-form-config.php plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/ws-form/trunk/includes/class-ws-form-common.php plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3280355/
Credits
Amin Beheshti