Advanced Contact form 7 DB
Moderate fix1 remedy
cpe:2.3:a:vsourz:advanced_cf7_db:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 2.0.9
Advanced Contact Form 7 DB Missing Authorization Vulnerability in WordPress
Vulnerability
Patched
A vulnerability exists in the Advanced Contact Form 7 DB plugin for WordPress, specifically in versions up to and including 2.0.9. The issue arises from a lack of proper capability checks in the 'vsz_cf7_export_to_excel' function, allowing authenticated attackers with Subscriber-level access or higher to export form submissions as Excel files. This unauthorized data access could lead to potential privacy breaches by exposing sensitive information contained in the form submissions.
Impact
Exploitation of this vulnerability allows for unauthorized export of form submission data to Excel, potentially exposing sensitive information.
Reproduction
To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can navigate to the Contact Form DB admin interface. From there, they can select a form and use the export feature to download the submissions as an Excel file. The absence of proper authorization checks allows this action to be performed without the necessary permissions.
Remediation
Users are advised to update the Advanced Contact Form 7 DB plugin to version 2.1.0 or later, where this vulnerability has been patched.
Added: Apr 8, 2026, 8:47 PM
Updated: Apr 8, 2026, 8:47 PM
Vulnerability Rating
Custom Algorithm
spread
1.0impact
2.5exploitability
6.4remediation
7.7relevance
5.5threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.