CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
What the vulnerability does
The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vsz_cf7_export_to_excel' function in all versions up to, and including, 2.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export form submissions to excel file.
Explanation of Vulnerability in Simple Terms
Advanced Contact Form 7 DB versions up to 2.0.9 fail to properly check user permissions before allowing access to stored form submissions. A logged-in user with low privileges can read contact form data that should be restricted to administrators or form owners. The vulnerability does not allow modification or deletion of data, only unauthorized viewing.
What an attacker can do
Read contact form submissions and stored data they should not have access to.
Potential impact on your site
Visitor contact information, email addresses, and form submission content may be exposed to unauthorized site users.
Conditions required to exploit
Attacker must have a low-privilege user account on the site (e.g., subscriber or contributor role).
Key dates
External resources
Related vulnerabilities
