PT-2026-1709 · Unknown+1 · Contact Form 7+1
Sopon Tangpathum
·
Published
2026-01-09
·
Updated
2026-01-09
·
CVE-2025-13717
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Contact Form vCard Generator versions up to and including 2.4
Description
The Contact Form vCard Generator plugin for WordPress has a flaw where a missing capability check on the
wp gvccf check download request function allows unauthorized access to data. Unauthenticated attackers can exploit this to export sensitive Contact Form 7 submission data using the wp-gvc-cf-download-id parameter. This data includes names, phone numbers, email addresses, and messages.Recommendations
Versions prior to and including 2.4 should be updated.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Contact Form 7
Contact Form Vcard Generator