What the vulnerability does
01Description
Subscriber Broken Access Control in Advanced Contact form 7 DB <= 2.0.9 versions.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
What the vulnerability does
Subscriber Broken Access Control in Advanced Contact form 7 DB <= 2.0.9 versions.
Explanation of Vulnerability in Simple Terms
Advanced Contact Form 7 DB versions up to 2.0.9 fail to properly check user permissions before allowing access to stored form submissions. A logged-in user with low privileges can read contact form data submitted by other users, including names, email addresses, and message content. The vulnerability requires a valid user account but no special interaction from victims.
What an attacker can do
Read other users' contact form submissions, including names, emails, and messages.
Potential impact on your site
Any logged-in user can view all contact form submissions meant to be private or restricted.
Conditions required to exploit
Attacker must have a low-privilege user account on the site; no victim interaction needed.
Key dates
External resources
Related vulnerabilities