{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0814", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-09T15:33:37.406Z", "datePublished": "2026-04-08T17:25:52.159Z", "dateUpdated": "2026-04-08T18:36:26.257Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:25:52.159Z"}, "affected": [{"vendor": "vsourz1td", "product": "Advanced Contact form 7 DB", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vsz_cf7_export_to_excel' function in all versions up to, and including, 2.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export form submissions to excel file."}], "title": "Advanced CF7 DB <= 2.0.9 - Missing Authorization to Authenticated (Subscriber+) Form Submissions Excel Export", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e3de1a4-a534-475b-9138-2337755b0288?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-cf7-db/tags/2.0.9/admin/class-advanced-cf7-db-admin.php#L1507"}, {"url": "https://plugins.trac.wordpress.org/changeset/3497481/advanced-cf7-db"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kai Aizen"}], "timeline": [{"time": "2026-04-08T05:13:06.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T18:36:16.706726Z", "id": "CVE-2026-0814", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:36:26.257Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vsz_cf7_export_to_excel' function in all versions up to, and including, 2.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export form submissions to excel file."}], "id": "CVE-2026-0814", "lastModified": "2026-04-08T21:26:13.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T19:24:52.880", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/advanced-cf7-db/tags/2.0.9/admin/class-advanced-cf7-db-admin.php#L1507"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3497481/advanced-cf7-db"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e3de1a4-a534-475b-9138-2337755b0288?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-08T19:55:20.056025+00:00", "value": {"mitigation_remediation": ["Update the Advanced Contact form 7 DB plugin to the latest release that validates export permissions.", "Verify that only users with administrative roles retain the ability to export form data.", "If an update cannot be applied immediately, revoke the export capability or restrict Subscriber privileges until a patched version is available."], "summary": {"action": "Apply Patch", "impact": "Unauthorized export of form submissions leads to data exposure"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the Advanced Contact form 7 DB plugin from the vsourz1td vendor. All releases up to and including version 2.0.9 are affected. Users should verify whether their installations are running any version 2.0.9 or earlier.", "description_and_impact": "The Advanced Contact form 7 DB plugin contains a missing capability check in the export function. As a result, any authenticated user with a Subscriber role or higher can trigger the export feature and retrieve form submissions as an Excel file. This flaw is a direct unauthorized read of sensitive data, constituting a data exposure vulnerability identified as CWE-862. The CVSS score of 4.3 reflects a moderate impact but indicates that once accessed, confidential information may be obtained by an attacker.", "risk_and_exploitability": "The flaw is exploitable by any user who has logged in with a Subscriber or higher role on the site; no additional system compromise or privilege escalation is required. Exploitation is straightforward through the plugin\u2019s export feature, but the attacker must already possess valid credentials. The CVSS score indicates a moderate risk, and the EPSS score is not available, while the vulnerability is not listed in the CISA KEV catalog."}}}}, "created": "2026-04-08T19:59:43.033810+00:00", "updated": "2026-04-08T19:59:43.033867+00:00", "vendors": []}