CVE-2026-57669 MEDIUM

CVE-2026-57669: WordPress Advanced Contact form 7 DB plugin <= 2.0.9 - Broken Access Control vulnerability

Vendor Vsourz Digital
Product Advanced Contact form 7 DB
Weakness CWE-862 · Missing authorization
Published July 2, 2026
Last update July 2, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Subscriber Broken Access Control in Advanced Contact form 7 DB <= 2.0.9 versions.

Explanation of Vulnerability in Simple Terms

02Summary

Advanced Contact Form 7 DB versions up to 2.0.9 fail to properly check user permissions before allowing access to stored form submissions. A logged-in user with low privileges can read contact form data submitted by other users, including names, email addresses, and message content. The vulnerability requires a valid user account but no special interaction from victims.

What an attacker can do

03Attacker Capabilities

Read other users' contact form submissions, including names, emails, and messages.

Potential impact on your site

04Site Impact

Any logged-in user can view all contact form submissions meant to be private or restricted.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site; no victim interaction needed.

Key dates

06Disclosure timeline

July 2, 2026 CVE published
July 2, 2026 Record updated

Related vulnerabilities

08Related CVE