Description
Subscriber Broken Access Control in Advanced Contact form 7 DB <= 2.0.9 versions.
Published: 2026-07-02
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a broken access control flaw that allows a user with subscriber-level permissions—or potentially an unauthenticated user—to perform privileged actions within the Advanced Contact form 7 DB plugin. Attackers could read, modify, or delete form submissions made by other users, as well as alter plugin configuration settings, thereby compromising confidentiality, integrity, and potentially availability of site data.

Affected Systems

The vulnerable component is the Advanced Contact form 7 DB plugin version 2.0.9 or earlier, released by Vsourz Digital. The plugin has been fixed in version 2.1.0 or later.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited current exploitation. The attack vector is likely through the plugin’s administrative interface, which is reachable by logged‑in subscribers; therefore, an attacker who can authenticate as a subscriber could exploit the flaw. Prompt patching is advised to mitigate this risk.

Generated by OpenCVE AI on July 2, 2026 at 15:13 UTC.

Remediation

Vendor Solution

Update the WordPress Advanced Contact form 7 DB Plugin to the latest available version (at least 2.1.0).


OpenCVE Recommended Actions

  • Upgrade the Advanced Contact form 7 DB plugin to version 2.1.0 or later.
  • Remove or disable any older versions of the plugin that may still be present.
  • Restrict the plugin’s administrative URLs so that only users with administrator roles can access them (or block subscriber access to those endpoints).
  • Continuously monitor the WordPress plugin repository for new updates and apply them in a timely manner.

Generated by OpenCVE AI on July 2, 2026 at 15:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Subscriber Broken Access Control in Advanced Contact form 7 DB <= 2.0.9 versions.
Title WordPress Advanced Contact form 7 DB plugin <= 2.0.9 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T15:53:11.900Z

Reserved: 2026-06-25T08:03:37.652Z

Link: CVE-2026-57669

cve-icon Vulnrichment

Updated: 2026-07-02T13:33:29.481Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T15:15:03Z

Weaknesses