Description
Missing Authorization vulnerability in Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for Contact Form 7: from n/a through <= 3.5.34.
Published: 2026-02-03
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to plugin configuration
Action: Patch
AI Analysis

Impact

The vulnerability is a missing authorization error in the Ultimate Addons for Contact Form 7 plugin. It allows attackers to invoke administrative endpoints that should be protected, letting them modify form behavior and potentially extract or alter data collected through the contact forms. The weakness is the absence of permission checks before executing privileged actions, which could compromise the integrity of the form settings.

Affected Systems

The plugin affected is Themefic Ultimate Addons for Contact Form 7, any version up to and including 3.5.34. All WordPress sites that have installed this plugin without upgrading beyond version 3.5.34 are potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, while an EPSS score of <1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers who can send crafted HTTP requests to the plugin’s administrative endpoints—likely from a remote location—could exploit the missing authorization checks. This inference is based on the description that the flaw involves incorrectly configured access control level checks.

Generated by OpenCVE AI on April 16, 2026 at 07:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ultimate Addons for Contact Form 7 to a version newer than 3.5.34
  • If an immediate upgrade is not possible, delete or disable the plugin to eliminate the attack surface
  • Apply WordPress hardening practices, such as enforcing strong administrator authentication and restricting access to the site’s administrative endpoints

Generated by OpenCVE AI on April 16, 2026 at 07:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Themefic
Themefic ultimate Addons For Contact Form 7
Wordpress
Wordpress wordpress
Vendors & Products Themefic
Themefic ultimate Addons For Contact Form 7
Wordpress
Wordpress wordpress

Tue, 03 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 14:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for Contact Form 7: from n/a through <= 3.5.34.
Title WordPress Ultimate Addons for Contact Form 7 plugin <= 3.5.34 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Themefic Ultimate Addons For Contact Form 7
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:31.980Z

Reserved: 2026-01-28T09:50:05.802Z

Link: CVE-2026-24945

cve-icon Vulnrichment

Updated: 2026-02-03T18:38:15.227Z

cve-icon NVD

Status : Deferred

Published: 2026-02-03T15:16:15.750

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24945

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:15:28Z

Weaknesses