Skip to main content

Advanced Contact Form 7 DB EUVDEUVD-2026-41280

| CVE-2026-57669 MEDIUM
Missing Authorization (CWE-862)
2026-07-02 Patchstack GHSA-hf25-m3ff-vv5r
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Subscriber account required (PR:L); read-only database access yields no integrity or availability impact; network-accessible endpoint with no complexity beyond holding a valid account.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:35 vuln.today

DescriptionCVE.org

Subscriber Broken Access Control in Advanced Contact form 7 DB <= 2.0.9 versions.

AnalysisAI

Broken access control in the Advanced Contact Form 7 DB WordPress plugin (versions <= 2.0.9) permits subscriber-level authenticated users to read all stored contact form submissions without authorization. The root cause is a missing capability check (CWE-862) on a data retrieval endpoint, exposing names, email addresses, phone numbers, and message content submitted by site visitors. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register subscriber account on open-registration WordPress site
Delivery
Authenticate via WordPress login form
Exploit
Send HTTP request to unprotected plugin data endpoint
Execution
Receive all stored contact form submissions
Impact
Harvest PII for phishing or spam

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress account at subscriber level or higher - unauthenticated exploitation is not possible based on the CVSS PR:L metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS base score of 6.5 (Medium) accurately captures the risk profile: the attack is network-exploitable with low complexity (AV:N/AC:L) but requires at least a subscriber-level account (PR:L), which is a meaningful barrier on sites with closed registration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker navigates to a WordPress site running Advanced Contact Form 7 DB <= 2.0.9 with open user registration enabled, self-registers a free subscriber account, and authenticates. The attacker then sends an HTTP request to the plugin's unprotected submission-retrieval endpoint, receiving all stored contact form records in response without any further privilege escalation. …
Remediation The primary remediation is to update the Advanced Contact Form 7 DB plugin to the first version released after 2.0.9 once Vsourz Digital publishes a patched release; check the WordPress plugin repository and the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/advanced-cf7-db/vulnerability/wordpress-advanced-contact-form-7-db-plugin-2-0-9-broken-access-control-vulnerability for the confirmed fixed version number, which is not independently verified in this dataset. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41280 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy