Description
The Contact Form 7 AWeber Extension plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_aweber_logreset' AJAX endpoint in all versions up to, and including, 0.1.42. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the AWeber logs.
Published: 2025-11-08
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data modification and log reset
Action: Update plugin
AI Analysis

Impact

The Integrate Contact Form 7 and AWeber plugin contains an AJAX endpoint that resets AWeber logs without verifying the user's role. Because the check is missing, any authenticated user with Subscriber level or higher can trigger a log reset. This lack of authorization (CWE-862) can allow attackers to tamper with integration data and potentially disrupt service availability for the affected WordPress site.

Affected Systems

WordPress sites running the plugin Integrate Contact Form 7 and AWeber version 0.1.42 or earlier. The plugin is distributed by rnzo.

Risk and Exploitability

The CVSS score of 4.3 reflects a medium risk, and the EPSS score of less than 1% indicates a low probability of exploitation. The vulnerability requires legitimate authentication and a role of Subscriber or higher, limiting lateral movement to users with those privileges. The plugin is not included in the CISA KEV list, so there is no evidence of widespread exploitation. Nonetheless, site administrators who have many subscriber accounts should consider the potential for internal misuse.

Generated by OpenCVE AI on April 22, 2026 at 21:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to the latest version (0.1.43 or later) to apply the missing authorization check.
  • If an upgrade is pending, temporarily reduce Subscriber role permissions or remove the ability of subscribers to access the AJAX endpoint by editing the plugin code or using a security plugin to block the endpoint for non‑admins.
  • Review and adjust user roles, limiting the number of users with Subscriber or higher permissions, and monitor audit logs for unexpected log reset events.

Generated by OpenCVE AI on April 22, 2026 at 21:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 10 Nov 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 10 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Rnzo
Rnzo contact Form 7 Aweber Extension
Wordpress
Wordpress wordpress
Vendors & Products Rnzo
Rnzo contact Form 7 Aweber Extension
Wordpress
Wordpress wordpress

Sat, 08 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Contact Form 7 AWeber Extension plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_aweber_logreset' AJAX endpoint in all versions up to, and including, 0.1.42. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the AWeber logs.
Title Contact Form 7 AWeber Extension <= 0.1.42 - Missing Authorization to Authenticated (Subscriber+) Log Reset
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Rnzo Contact Form 7 Aweber Extension
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:35:40.392Z

Reserved: 2025-10-24T14:19:43.666Z

Link: CVE-2025-12167

cve-icon Vulnrichment

Updated: 2025-11-10T20:12:03.691Z

cve-icon NVD

Status : Deferred

Published: 2025-11-08T04:15:44.857

Modified: 2026-06-17T08:31:49.547

Link: CVE-2025-12167

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:30:27Z

Weaknesses