The Ultra Addons for Contact Form 7 plugin contains a missing capability check on the uacf7_get_generated_pdf function in all versions up to 3.5.33. This flaw allows any authenticated user with at least Subscriber level, when the PDF Generator and Database addons are enabled, to request and download a PDF that contains the data of any form submission. The vulnerability is classified as CWE‑639 (Authority Bypass), exposing confidential submission data without authorization. With a CVSS score of 4.3, the impact can reach moderate confidentiality loss but the exploitability is low because the attacker must be logged in and the plugin features must be activated.

Affected systems are sites running the WordPress plugin Ultra Addons for Contact Form 7, themefic, in versions up to 3.5.33 inclusive. The issue only surfaces when both the PDF Generator addon and the Database addon are turned on, although they are disabled by default. The plugin is commonly deployed on contact forms, so many WordPress installations may be susceptible if they remain on or below the affected version.

Risk assessment indicates a CVSS score of 4.3 and an EPSS score of less than 1 %, meaning that while the confidentiality effect is moderate, the probability of exploitation in the wild is low. The vulnerability is not listed in CISA's KEV catalog. Exploitability requires user authentication and access to the PDF generation endpoint, typically easy for a legitimate subscriber to obtain. An attacker could harvest sensitive data from form submissions, potentially enabling phishing or data abuse. Advisory suggests prompt remediation, as the attack vector is simple and the data exposed can be valuable.