What the vulnerability does
01Description
Unrestricted Upload of File with Dangerous Type vulnerability in RedefiningTheWeb WordPress Contact Form 7 PDF, Google Sheet & Database rtwwcfp-wordpress-contact-form-7-pdf allows Using Malicious Files.This issue affects WordPress Contact Form 7 PDF, Google Sheet & Database: from n/a through <= 3.0.0.
Explanation of Vulnerability in Simple Terms
02Summary
The Contact Form 7 PDF, Google Sheet & Database plugin for WordPress contains an unrestricted file upload vulnerability affecting versions up to 3.0.0. An authenticated user with low privileges can upload arbitrary files to the server without validation, potentially gaining remote code execution. The vulnerability has a wide scope and impacts confidentiality, integrity, and availability of the site.
What an attacker can do
03Attacker Capabilities
Upload arbitrary files to the server and execute code on the site.
Potential impact on your site
04Site Impact
An attacker with basic user access can compromise your entire WordPress installation and access all data.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege WordPress user account (e.g., subscriber or contributor role).
Key dates
06Disclosure timeline
December 18, 2025
CVE published
April 28, 2026
Record updated