WordPress Plugin Vulnerabilities

Ultimate Addons for Contact Form 7 < 3.2.11 - Missing Authorization

Description

The Ultimate Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the uacf7_database_export_csv() function hooked via init in versions up to, and including, 3.2.10. This makes it possible for unauthenticated attackers to export data from contact forms. This has been "partially" patched in 3.2.7, however, since the nonce is exposed to subscribers this can still be exploited by subscriber-level users and above. Version 3.2.11 introduces a capability check.

Affects Plugins

Plugin icon
ultimate-addons-for-contact-form-7
Fixed in 3.2.11

References

CVE
CVE-2023-47693
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/73720e67-79e5-4b4c-8720-e28ad718b2b3

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
minhtuanact
Verified
No
WPVDB ID
77ffb89d-18bd-4b0d-ad4a-c0d716a5f16c

Timeline

Publicly Published
2023-11-09 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2025-08-13
Title
Netease Music <= 3.2.1 - Missing Authorization
Published
2024-03-28
Title
BEAR < 1.1.4.4 - Missing Authorization
Published
2026-04-07
Title
Ocean Extra < 2.5.4 - Missing Authorization
Published
2025-12-19
Title
Pretty Google Calendar < 2.0.1 - Missing Authorization to Unauthenticated Google API Key Exposure
Published
2026-01-22
Title
ListingHub <= 1.2.7 - Missing Authorization