Advanced Contact Form 7 Db
Monthly
Broken access control in the Advanced Contact Form 7 DB WordPress plugin (versions <= 2.0.9) permits subscriber-level authenticated users to read all stored contact form submissions without authorization. The root cause is a missing capability check (CWE-862) on a data retrieval endpoint, exposing names, email addresses, phone numbers, and message content submitted by site visitors. No public exploit or CISA KEV listing exists at time of analysis, but low attack complexity and high confidentiality impact make this a meaningful risk on any WordPress site that permits open user registration.
Broken access control in the Advanced Contact Form 7 DB WordPress plugin (versions <= 2.0.9) permits subscriber-level authenticated users to read all stored contact form submissions without authorization. The root cause is a missing capability check (CWE-862) on a data retrieval endpoint, exposing names, email addresses, phone numbers, and message content submitted by site visitors. No public exploit or CISA KEV listing exists at time of analysis, but low attack complexity and high confidentiality impact make this a meaningful risk on any WordPress site that permits open user registration.