The User Registration Using Contact Form 7 plugin for WordPress lacks a capability check in the 'get_cf7_form_data' function for all versions up to 2.5. Because of this missing authorization, any unauthenticated attacker can call the function and receive the full set of form settings, which includes sensitive data such as Facebook application secrets. The vulnerability corresponds to missing authorization (CWE‑862). This exposure compromises the confidentiality of application credentials and could enable further compromise of linked services.

WordPress sites that have installed the User Registration Using Contact Form 7 plugin from the 'zealopensource' vendor, any version 2.5 or lower, are affected. The plugin is commonly used to populate Contact Form 7 forms with user registration data.

The CVSS score of 5.3 indicates moderate severity, and an EPSS of less than 1% suggests exploitation is currently unlikely, though not impossible. The vulnerability can be exploited over the network by any unauthenticated user who can reach the plugin’s 'get_cf7_form_data' endpoint, but the precise location of this endpoint is not detailed in the advisory and is inferred from the plugin’s API exposure. The flaw is not listed in CISA’s KEV catalog, but it remains a valid medium‑risk flaw for any affected WordPress installation. An attacker who successfully retrieves the form settings could use the Facebook app secrets to impersonate the site or drain sensitive data from connected services. The flaw is most likely exploitable in publicly accessible sites that host the plugin and lack additional access controls.