Contact Form vCard Generator WordPress Plugin Missing Authorization Vulnerability

A vulnerability exists in the Contact Form vCard Generator plugin for WordPress, in all versions through 2.4. The issue arises from a lack of proper capability checks in the 'wp_gvccf_check_download_request' function. This flaw allows unauthenticated attackers to access and export sensitive data from Contact Form 7 submissions, including names, phone numbers, email addresses, and messages. The data is extracted via the 'wp-gvc-cf-download-id' parameter.

Impact

Exploitation of this vulnerability leads to unauthorized access and exposure of sensitive information from Contact Form 7 submissions.

Reproduction

To reproduce this vulnerability, send a request to the WordPress site with the 'wp-gvc-cf-download-id' parameter set to a valid ID of a Contact Form 7 submission. Ensure that the 'wp-gvc-cf' parameter is also included, specifying the contact form from which data is to be downloaded. The absence of a capability check allows this request to be processed, resulting in the unauthorized export of submission data.