Description
The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vsz_cf7_export_to_excel' function in all versions up to, and including, 2.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export form submissions to excel file.
Published: 2026-04-08
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized export of form submissions leads to data exposure
Action: Apply Patch
AI Analysis

Impact

The Advanced Contact form 7 DB plugin contains a missing capability check in the export function. As a result, any authenticated user with a Subscriber role or higher can trigger the export feature and retrieve form submissions as an Excel file. This flaw is a direct unauthorized read of sensitive data, constituting a data exposure vulnerability identified as CWE-862. The CVSS score of 4.3 reflects a moderate impact but indicates that once accessed, confidential information may be obtained by an attacker.

Affected Systems

WordPress sites that have installed the Advanced Contact form 7 DB plugin from the vsourz1td vendor. All releases up to and including version 2.0.9 are affected. Users should verify whether their installations are running any version 2.0.9 or earlier.

Risk and Exploitability

The flaw is exploitable by any user who has logged in with a Subscriber or higher role on the site; no additional system compromise or privilege escalation is required. Exploitation is straightforward through the plugin’s export feature, but the attacker must already possess valid credentials. The CVSS score indicates a moderate risk, and the EPSS score is not available, while the vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 8, 2026 at 19:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Advanced Contact form 7 DB plugin to the latest release that validates export permissions.
  • Verify that only users with administrative roles retain the ability to export form data.
  • If an update cannot be applied immediately, revoke the export capability or restrict Subscriber privileges until a patched version is available.

Generated by OpenCVE AI on April 8, 2026 at 19:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vsz_cf7_export_to_excel' function in all versions up to, and including, 2.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export form submissions to excel file.
Title Advanced CF7 DB <= 2.0.9 - Missing Authorization to Authenticated (Subscriber+) Form Submissions Excel Export
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T18:36:26.257Z

Reserved: 2026-01-09T15:33:37.406Z

Link: CVE-2026-0814

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T19:24:52.880

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-0814

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:59:43Z

Weaknesses