CVE-2025-14356 MEDIUM

CVE-2025-14356: Ultra Addons for Contact Form 7 <= 3.5.33 - Missing Authorization to Authenticated (Subscriber+) to Generate Form Submission PDF

Vendor Themefic
Product Ultra Addons for Contact Form 7
Weakness CWE-639 · IDOR
Published December 12, 2025
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'uacf7_get_generated_pdf' function in all versions up to, and including, 3.5.33. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate and get form submission PDF, when the "PDF Generator" and the "Database" addons are enabled (disabled by default).

Explanation of Vulnerability in Simple Terms

02Summary

Ultra Addons for Contact Form 7 versions 3.5.33 and earlier contain an authorization flaw that allows authenticated users to access sensitive information they should not be able to view. An attacker with a low-privilege account can read data that is restricted to higher-privilege users. The vulnerability requires an active user account but no additional user interaction.

What an attacker can do

03Attacker Capabilities

Read sensitive data restricted to higher-privilege users via their authenticated account.

Potential impact on your site

04Site Impact

User data and restricted information may be exposed to low-privilege account holders.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site.

Key dates

06Disclosure timeline

December 12, 2025 CVE published
April 8, 2026 Record updated