CVE-2025-13973 Overview
The StickEasy Protected Contact Form plugin for WordPress contains a Sensitive Information Disclosure vulnerability in all versions up to and including 1.0.2. The plugin stores spam detection logs at a predictable, publicly accessible location (wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt), allowing unauthenticated attackers to download the log file and access sensitive information including visitor IP addresses, email addresses, and comment snippets from contact form submissions that were flagged as spam.
Critical Impact
Unauthenticated attackers can access sensitive visitor data including IP addresses, email addresses, and contact form submission content by directly accessing a predictable log file path.
Affected Products
- StickEasy Protected Contact Form for WordPress versions up to and including 1.0.2
Discovery Timeline
- 2026-02-14 - CVE-2025-13973 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2025-13973
Vulnerability Analysis
This vulnerability falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The StickEasy Protected Contact Form plugin implements spam detection functionality that logs flagged submissions to a text file. However, the plugin stores this log file in a predictable location within the WordPress uploads directory without implementing proper access controls.
The core issue is that the plugin writes sensitive user-submitted data to a file that is directly accessible via HTTP requests. Any external attacker who knows or discovers the file path can retrieve the log contents without any authentication or authorization checks. The log file contains personally identifiable information (PII) from website visitors who submitted contact forms that were subsequently flagged as spam.
This type of information disclosure can enable further attacks such as targeted phishing campaigns using harvested email addresses, or tracking users via their IP addresses. The exposure of partial form content may also reveal sensitive business communications or personal details shared by visitors.
Root Cause
The root cause of this vulnerability is improper access control implementation for the spam log file. The plugin stores the log at wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt without implementing any of the standard WordPress protections such as:
- Using .htaccess rules to restrict access to the log file
- Storing logs outside the web-accessible directory
- Implementing nonce-based authentication for log access
- Randomizing the log file name or path
The vulnerable code can be reviewed in the WordPress Plugin Code Snapshot.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by simply making an HTTP GET request to the predictable log file location. The attack sequence involves:
- Identifying a WordPress site running the vulnerable StickEasy Protected Contact Form plugin
- Crafting a direct HTTP request to https://[target-site]/wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt
- Downloading and parsing the log file contents to extract IP addresses, email addresses, and form submission snippets
Since the file path is predictable and no authentication is required, this vulnerability can be exploited at scale against any WordPress site running the affected plugin versions.
Detection Methods for CVE-2025-13973
Indicators of Compromise
- Unexpected HTTP requests to /wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt from external IP addresses
- Access log entries showing successful (HTTP 200) responses to requests for the spam log file
- Patterns of enumeration attempts targeting common WordPress plugin file paths in the uploads directory
Detection Strategies
- Configure web server access logs to alert on requests to the spcf-log.txt file path
- Implement Web Application Firewall (WAF) rules to monitor and block unauthorized access to plugin log files
- Use WordPress security plugins to scan for publicly accessible sensitive files in the uploads directory
Monitoring Recommendations
- Enable verbose logging for the WordPress uploads directory and review access patterns regularly
- Implement file integrity monitoring for the wp-content/uploads/stickeasy-protected-contact-form/ directory
- Set up automated alerts for unusual access patterns to plugin-related log files
How to Mitigate CVE-2025-13973
Immediate Actions Required
- Update the StickEasy Protected Contact Form plugin to a patched version immediately
- Review web server access logs for any prior unauthorized access to the spcf-log.txt file
- If the log file has been exposed, consider notifying affected users whose data may have been compromised
- Audit other WordPress plugins for similar information disclosure vulnerabilities
Patch Information
Security patches are available through the WordPress plugin repository. The fix addresses the insecure storage of spam logs by implementing proper access controls. For detailed information about the changes, see the WordPress Plugin Change Log.
Additional vulnerability details and remediation guidance can be found in the Wordfence Vulnerability Report.
Workarounds
- Add .htaccess rules to deny direct access to the stickeasy-protected-contact-form directory in the uploads folder
- Temporarily disable the StickEasy Protected Contact Form plugin until a patch can be applied
- Delete or relocate the existing spcf-log.txt file to prevent immediate exposure while awaiting an update
# Configuration example - Add to .htaccess in wp-content/uploads/stickeasy-protected-contact-form/
<Files "spcf-log.txt">
Order Allow,Deny
Deny from all
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
