CVE-2026-9145
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk29th percentile — higher than 29% of all known CVEs
Summary
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress up to version 1.5.1 contains an arbitrary file copy vulnerability. The create_entry_el() function passes the raw_value from Elementor Pro's Form_Record object directly to PHP's copy() without validation, allowing an attacker to copy any file from the server or from an external URL.
Risk Assessment
An unauthenticated attacker can copy any file readable by the PHP process, including configuration files, credentials, or other sensitive data, on the affected WordPress site. Although the destination directory is hashed, the use of non-cryptographic functions uniqid() and rand() weakens the protection.
Recommendation
Immediately update the Database for Contact Form 7, WPforms, Elementor forms plugin to a version newer than 1.5.1. If no update is available, temporarily disable the plugin or restrict access to it.
Original NVD description (English source)
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Arbitrary File Copy via the create_entry_el() function in versions up to, and including, 1.5.1. The function reads raw_value from Elementor Pro's Form_Record object for upload-type fields and passes it directly to PHP's copy() without validating that the value corresponds to a legitimately uploaded file — when no file is present in $_FILES, raw_value reflects the attacker-controlled POST string. copy() accepts both local filesystem paths and URL sources, so the attacker can target any file readable by the PHP process or supply an attacker-controlled remote URL. Elementor Pro is a prerequisite for triggering the code path (it owns the elementor_pro/forms/new_record hook and populates the Form_Record object), but the bug itself is entirely in Contact Form Entries' handler. This could allow unauthenticated attackers to disclose arbitrary files on the affected site's server. The file is copied to a directory unknown to the attacker; the hashed directory name provides defense-in-depth but is generated from non-cryptographic sources (uniqid() + rand()) and should not be relied upon as the primary mitigation.

