Impact
The vulnerability is a broken access control flaw that allows a user with subscriber-level permissions—or potentially an unauthenticated user—to perform privileged actions within the Advanced Contact form 7 DB plugin. Attackers could read, modify, or delete form submissions made by other users, as well as alter plugin configuration settings, thereby compromising confidentiality, integrity, and potentially availability of site data.
Affected Systems
The vulnerable component is the Advanced Contact form 7 DB plugin version 2.0.9 or earlier, released by Vsourz Digital. The plugin has been fixed in version 2.1.0 or later.
Risk and Exploitability
The CVSS score of 6.5 indicates medium severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited current exploitation. The attack vector is likely through the plugin’s administrative interface, which is reachable by logged‑in subscribers; therefore, an attacker who can authenticate as a subscriber could exploit the flaw. Prompt patching is advised to mitigate this risk.
OpenCVE Enrichment