Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Subscriber account required (PR:L); read-only database access yields no integrity or availability impact; network-accessible endpoint with no complexity beyond holding a valid account.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Broken Access Control in Advanced Contact form 7 DB <= 2.0.9 versions.
AnalysisAI
Broken access control in the Advanced Contact Form 7 DB WordPress plugin (versions <= 2.0.9) permits subscriber-level authenticated users to read all stored contact form submissions without authorization. The root cause is a missing capability check (CWE-862) on a data retrieval endpoint, exposing names, email addresses, phone numbers, and message content submitted by site visitors. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress account at subscriber level or higher - unauthenticated exploitation is not possible based on the CVSS PR:L metric. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS base score of 6.5 (Medium) accurately captures the risk profile: the attack is network-exploitable with low complexity (AV:N/AC:L) but requires at least a subscriber-level account (PR:L), which is a meaningful barrier on sites with closed registration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker navigates to a WordPress site running Advanced Contact Form 7 DB <= 2.0.9 with open user registration enabled, self-registers a free subscriber account, and authenticates. The attacker then sends an HTTP request to the plugin's unprotected submission-retrieval endpoint, receiving all stored contact form records in response without any further privilege escalation. … |
| Remediation | The primary remediation is to update the Advanced Contact Form 7 DB plugin to the first version released after 2.0.9 once Vsourz Digital publishes a patched release; check the WordPress plugin repository and the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/advanced-cf7-db/vulnerability/wordpress-advanced-contact-form-7-db-plugin-2-0-9-broken-access-control-vulnerability for the confirmed fixed version number, which is not independently verified in this dataset. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41280
GHSA-hf25-m3ff-vv5r