CVE-2025-31603 - Vulnerability Details

- WordPress CF7 Spreadsheets plugin <= 2.3.2 - Settings Change vulnerability

Description

Missing Authorization vulnerability in moshensky CF7 Spreadsheets cf7-spreadsheets allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CF7 Spreadsheets: from n/a through <= 2.3.2.

Published: 2025-03-31

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in the CF7 Spreadsheets WordPress plugin stems from a missing authorization check that allows an attacker to alter plugin configuration settings without proper permissions. By modifying these settings, the attacker can potentially change how form submissions are handled, redirect data, or tamper with spreadsheet output, thereby affecting data integrity and confidentiality. This weakness is categorized as an authorization failure (CWE‑862).

Affected Systems

The issue impacts the CF7 Spreadsheets plugin from the earliest available version through version 2.3.2, as distributed by the vendor moshensky. Any WordPress installation that has this plugin installed in a version affected by the flaw is susceptible.

Risk and Exploitability

The CVSS score of 5.4 indicates a medium severity vulnerability, while the EPSS score of less than 1% suggests a very low likelihood of exploitation at present. The flaw is not listed as a known exploited vulnerability in the CISA KEV catalog. The attack vector is inferred to be local or web-based, requiring authenticated access to the WordPress site or exploitation of other compromised credentials to reach the plugin’s configuration interface. No public exploit has been reported, and the vulnerability appears to be a straightforward privilege escalation through misconfigured access control.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

moshensky

CF7 Spreadsheets

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.3.2

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade CF7 Spreadsheets to any version newer than 2.3.2.
Ensure that only trusted administrators have edit rights to the plugin’s configuration settings.
Re‑audit WordPress user roles and permissions to confirm that no site‑wide administrators can access the plugin settings without appropriate approval.

Generated by OpenCVE AI on May 1, 2026 at 02:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-8801	Missing Authorization vulnerability in moshensky CF7 Spreadsheets allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CF7 Spreadsheets: from n/a through 2.3.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0023.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/cf7-spreadsheets/vulnerability/wordpress-cf7-spreadsheets-plugin-2-3-2-settings-change-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Missing Authorization vulnerability in moshensky CF7 Spreadsheets allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CF7 Spreadsheets: from n/a through 2.3.2.	Missing Authorization vulnerability in moshensky CF7 Spreadsheets cf7-spreadsheets allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CF7 Spreadsheets: from n/a through <= 2.3.2.
References	https://patchstack.com/database/wordpress/plugin/cf7-spreadsheets/vulnerability/wordpress-cf7-spreadsheets-plugin-2-3-2-settings-change-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/cf7-spreadsheets/vulnerability/wordpress-cf7-spreadsheets-plugin-2-3-2-settings-change-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}`

Mon, 31 Mar 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 31 Mar 2025 13:00:00 +0000

Type	Values Removed	Values Added
Description		Missing Authorization vulnerability in moshensky CF7 Spreadsheets allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CF7 Spreadsheets: from n/a through 2.3.2.
Title		WordPress CF7 Spreadsheets plugin <= 2.3.2 - Settings Change vulnerability
Weaknesses		CWE-862
References		https://patchstack.com/database/wordpress/plugin/cf7-spreadsheets/vulnerability/wordpress-cf7-spreadsheets-plugin-2-3-2-settings-change-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-03-31T12:55:35.226Z

Updated: 2026-05-11T23:58:07.406Z

Reserved: 2025-03-31T10:06:04.394Z

Link: CVE-2025-31603

Vulnrichment

Updated: 2025-03-31T15:50:28.257Z

NVD

Status : Deferred

Published: 2025-03-31T13:15:54.133

Modified: 2026-04-23T15:28:03.440

Link: CVE-2025-31603

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T03:00:08Z

Weaknesses

CWE-862
Missing Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object