CVE-2025-10019: Silent Data Exposure via Broken Authorization in Contact Form Email for WordPress

Vulnerability Summary

Vulnerability Name: Authorization Bypass Through User-Controlled Key (IDOR)
CVE ID: CVE-2025-10019
CVSS v3.1 Score: 6.5 (Medium)
CVSS Vector: AV:N / AC:L / PR:N / UI:N / S:U / C:L / I:L / A:N
Severity: Medium
Exploitability: Remote, unauthenticated, network-based
CWE: CWE-639 – Insecure Direct Object Reference
Plugin Name: Contact Form Email (contact-form-to-email)
Impacted Versions:
- Vulnerable: All versions up to and including 1.3.60
- Patched: 1.3.61
Attack Type: Broken Access Control / IDOR
Primary Impact: Unauthorized access to sensitive form submission data

Overview

Contact Form Email is a commonly deployed WordPress plugin used to collect and process contact form submissions. CVE-2025-10019 identifies a flaw in how the plugin enforces authorization when accessing internal objects such as form entries and configuration data.

The vulnerability exists because the plugin relies on client-supplied identifiers to determine which resource should be accessed, without validating whether the requester is authorized to access that resource. In several request handlers, the plugin retrieves database records based solely on numeric IDs passed through HTTP parameters.

This creates an Insecure Direct Object Reference (IDOR) condition. By modifying these identifiers, an attacker can access data belonging to other users or administrators. In many default configurations, this can be done without authentication, making exploitation straightforward and low-effort.

Technical Root Cause Analysis

The underlying technical issues include:

Direct use of $_GET and $_POST parameters to retrieve database records
Missing ownership verification before returning form entries
Inconsistent or absent capability checks (current_user_can)
AJAX handlers that accept object IDs without nonce validation
Predictable, sequential database identifiers enabling enumeration

The plugin verifies that an identifier exists, but not whether the requester has the right to access it.

Exploitation Workflow

Endpoint Discovery
- Attacker inspects WordPress AJAX or REST endpoints related to the plugin.
- Common targets include admin-ajax.php actions handling exports, reports, or message retrieval.
Parameter Tampering
- Numeric parameters such as form_id, entry_id, or message_id are modified.
Enumeration
- IDs are incremented or decremented to access adjacent records.
Unauthorized Data Access
- Server responds with data without enforcing authorization.

This process can be automated and scaled quickly.

Exploitation Impact

An attacker may be able to:

Read contact form submissions from other users
Extract personally identifiable information (names, emails, messages)
Download exported form data (CSV or reports)
Access form configuration metadata
Trigger plugin actions tied to other users (in limited cases)

The primary risks are data exposure and privacy violations, with potential secondary integrity impact.

Indicators of Compromise (IOCs)

Network Traffic IOCs

Repeated requests to /wp-admin/admin-ajax.php
Sequential or patterned access to numeric identifiers
Requests lacking authentication cookies retrieving sensitive data
High request volume with minimal variation in parameters

Example suspicious pattern:

action=cp_get_message&message_id=101
action=cp_get_message&message_id=102
action=cp_get_message&message_id=103

Web Server Log IOCs

Multiple successful 200 OK responses for different IDs from the same IP
Anonymous access to plugin data endpoints
Sudden spikes in export or report generation
Access to multiple users’ data within short timeframes

Application-Level IOCs

Cross-user access to form entries
Form submissions accessed by non-owning users
Unexpected data exports
Email activity not initiated by administrators

Detection Signatures

Snort Signature – Basic IDOR Attempt Detection

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (
    msg:"WordPress Contact Form Email IDOR Attempt - CVE-2025-10019";
    flow:to_server,established;
    content:"admin-ajax.php"; http_uri; nocase;
    pcre:"/[?&](form_id|entry_id|message_id)=[0-9]+/Ui";
    content:!"wp_nonce"; http_client_body;
    classtype:web-application-attack;
    sid:3025001; rev:1;
)

This rule detects direct access attempts to plugin AJAX endpoints using numeric identifiers without nonce validation.

Snort Signature – Sequential Enumeration Detection

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (
    msg:"WordPress Contact Form Email Sequential ID Enumeration - CVE-2025-10019";
    flow:to_server,established;
    pcre:"/[?&](form|entry|message)_?id=[0-9]{1,6}/Ui";
    threshold:type both, track by_src, count 10, seconds 60;
    classtype:attempted-recon;
    sid:3025002; rev:1;
)

This rule flags repeated enumeration behavior commonly used in IDOR exploitation.

YARA Rule – HTTP Traffic or Log Analysis

rule WordPress_ContactForm_IDOR_CVE_2025_10019
{
    meta:
        description = "Detects IDOR exploitation attempts targeting Contact Form Email plugin"
        cve = "CVE-2025-10019"
        severity = "medium"

    strings:
        $ajax = "admin-ajax.php" nocase
        $plugin = "contact-form-to-email" nocase
        $id1 = /form_id=[0-9]{1,8}/ nocase
        $id2 = /entry_id=[0-9]{1,8}/ nocase
        $id3 = /message_id=[0-9]{1,8}/ nocase

    condition:
        $ajax and $plugin and any of ($id*)
}

This rule can be applied to HTTP logs, proxy logs, or packet captures.

MITRE ATT&CK Framework Mapping

This vulnerability aligns with multiple MITRE ATT&CK techniques:

Initial Access

T1190 – Exploit Public-Facing Application
The vulnerability allows attackers to exploit a publicly accessible WordPress plugin endpoint without authentication.

Discovery

T1087 – Account Discovery (Contextual)
Enumeration of form or entry IDs enables attackers to infer the existence of other users’ data.
T1083 – File and Directory Discovery (Web Context)
Attackers probe plugin endpoints and accessible objects.

Collection

T1213 – Data from Information Repositories
Contact form submissions and exported data are collected directly from the application datastore.

Exfiltration

T1041 – Exfiltration Over C2 Channel (Web Traffic)
Retrieved form data is exfiltrated over normal HTTP responses.

Impact (Secondary)

T1565 – Data Manipulation
In cases where write operations are exposed, attackers may alter form data or settings.

This mapping highlights how IDOR vulnerabilities often support full attack chains, not just isolated data leaks.

Proof-of-Concept (Conceptual Example)

Legitimate request:

GET /wp-admin/admin-ajax.php?action=cp_export&form_id=12

Malicious request:

GET /wp-admin/admin-ajax.php?action=cp_export&form_id=13

If the second request returns data from a form the user does not own, the endpoint is vulnerable.

Remediation Guidance

Official Patch (Required)

Update the plugin to Contact Form Email version 1.3.61 or later.

Official Plugin and Patch Page:
https://wordpress.org/plugins/contact-form-to-email/

Defense-in-Depth Hardening

Enforce capability checks (current_user_can) for all data access
Validate ownership before returning resources
Implement nonces for all sensitive actions
Avoid exposing raw database IDs
Monitor and rate-limit access to admin-ajax.php
Deploy WAF rules to block enumeration patterns

Final Assessment

CVE-2025-10019 is a straightforward but dangerous authorization flaw. While rated medium, the lack of authentication requirements and ease of exploitation make it a high-risk issue in real-world deployments, especially for public-facing WordPress sites handling sensitive data.

Immediate patching is strongly recommended, followed by log review and monitoring for enumeration activity.