Security Alert Summary
The StickEasy Protected Contact Form plugin for WordPress exposes spam detection logs at a predictable, publicly accessible location. An unauthenticated attacker can download the log file and access sensitive information such as visitor IP addresses, email addresses, and comment snippets from submissions flagged as spam.
CVE Details
- CVE ID: CVE-2025-13973
- Affected plugin / component: StickEasy Protected Contact Form plugin for WordPress
- Affected versions: All versions up to and including 1.0.2
- Published: February 14, 2026 at 4:15:56 AM UTC
- Last modified: February 14, 2026 at 4:15:56 AM UTC
- CVSS v3.1: Base Score 5.3 (MEDIUM) — Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Authentication / Privileges / User Interaction: No authentication required;
Privileges Required: NONE;User Interaction: NONE - Primary impact: Confidentiality: LOW; Integrity: NONE; Availability: NONE
- CWE / weakness: CWE-200 (Information Exposure)
Technical Details
The plugin stores spam detection logs at a predictable, publicly accessible path: wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt. Because the file is stored where web requests can retrieve it and there are no authentication or access restrictions documented in the CVE entry, an unauthenticated attacker can download the file directly.
The log file contains sensitive data captured from contact form submissions flagged as spam, specifically visitor IP addresses, email addresses, and comment snippets. The vulnerability exists due to storing these logs in a web-accessible location without access controls or protection mechanisms.
How This Could Impact Your Website
On a typical WordPress site using this plugin, multiple roles interact with contact data: a site owner reviewing submissions, internal staff or contributors managing communications, and external contractors or partners who may review form data. If the spam log file is publicly accessible, those stored IPs and email addresses could be retrieved by anyone on the internet.
- Exposure of visitor and contributor email addresses can increase the risk of targeted phishing or social engineering against site staff or users.
- Leaked IP addresses and comment snippets can reveal visit patterns or partial content of messages, which may aid further reconnaissance by attackers.
- The information disclosed is limited to the contents of the spam log; the CVSS impact indicates confidentiality is affected at a low level without integrity or availability impact.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor-level accounts or permissions that are not required.
- Enforce strong passwords and enable two-factor authentication for editor and administrator accounts.
- Remove unused or unmaintained plugins from your site.
- Restrict access to uploaded logs and sensitive files (for example, move logs outside the webroot or block direct access via server rules) where possible.
- Monitor site activity and access logs for unusual downloads or requests to the uploads directory.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/stickeasy-protected-contact-form/tags/1.0.0/stickeasy-protected-contact-form.php#L157
- https://plugins.trac.wordpress.org/browser/stickeasy-protected-contact-form/trunk/stickeasy-protected-contact-form.php#L157
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3425729%40stickeasy-protected-contact-form&new=3425729%40stickeasy-protected-contact-form
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3426722%40stickeasy-protected-contact-form&new=3426722%40stickeasy-protected-contact-form
- https://www.wordfence.com/threat-intel/vulnerabilities/id/86edc116-054f-4962-a57c-0ce7e1b8ff8c?source=cve