Advanced CF7 DB < 2.1.0 – Missing Authorization to Authenticated (Subscriber+) Form Submissions Excel Export | CVE 2026-0814 | Plugin Vulnerabilities

Description

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vsz_cf7_export_to_excel' function in all versions up to, and including, 2.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export form submissions to excel file.

Affects Plugins

advanced-cf7-db

Fixed in 2.1.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/5e3de1a4-a534-475b-9138-2337755b0288

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Kai Aizen

Verified

No

WPVDB ID

47a14007-7a3e-43db-8f05-087282d0199b

Timeline

Publicly Published

2026-04-08 (about 1 month ago)

Added

2026-04-08 (about 1 month ago)

Last Updated

2026-04-08 (about 1 month ago)

Other

Published

Title

Published

2026-01-13

Title

Netcash WooCommerce Payment Gateway < 4.1.4 - Missing Authorization to Unauthenticated Order Status Modification

Published

2025-05-07

Title

GS Testimonial Slider < 3.3.1 - Missing Authorization

Published

2025-06-26

Title

DWT < 3.3.7 - Unauthenticated Arbitrary User Password Reset

Published

2024-05-07

Title

weDocs < 2.1.5 - Missing Authorization

Published

2025-11-03

Title

Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One 2.0.7 - 2.3.0 - Missing Authorization to Authenticated (Subscriber+) Post Creation