CVE-2025-12845 - Vulnerability Details

The Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to unauthorized access of data that leads to privilege escalation due to a missing capability check on the get_table_data() function in versions 0.5.4 to 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve plugin table data that can expose email log information. Attackers can leverage this on sites where the table log is enabled in order to trigger a password reset and obtain the reset key.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Essekia	Tablesome Table – Contact Form Db – Wpforms, Cf7, Gravity, Forminator, Fluent
Wordpress	Wordpress

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3447966
https://www.wordfence.com/threat-intel/vulnerabilities/id/a22b2724-2541-4345-bd42-e8a5844f3f0a?source=cve

History

Thu, 19 Feb 2026 10:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Essekia Essekia tablesome Table – Contact Form Db – Wpforms, Cf7, Gravity, Forminator, Fluent Wordpress Wordpress wordpress
Vendors & Products		Essekia Essekia tablesome Table – Contact Form Db – Wpforms, Cf7, Gravity, Forminator, Fluent Wordpress Wordpress wordpress

Thu, 19 Feb 2026 04:15:00 +0000

Type	Values Removed	Values Added
Description		The Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to unauthorized access of data that leads to privilege escalation due to a missing capability check on the get_table_data() function in versions 0.5.4 to 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve plugin table data that can expose email log information. Attackers can leverage this on sites where the table log is enabled in order to trigger a password reset and obtain the reset key.
Title		Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent 0.5.4 - 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Information Exposure and Privilege Escalation
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/changeset/3447966 https://www.wordfence.com/threat-intel/vulnerabilities/id/a22b2724-2541-4345-bd42-e8a5844f3f0a?source=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-02-19T03:25:17.846Z

Updated: 2026-02-19T03:25:17.846Z

Reserved: 2025-11-06T20:32:56.357Z

Link: CVE-2025-12845

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object