Ultra Addons for Contact Form 7 < 3.5.34 – Missing Authorization to Authenticated (Subscriber+) to Generate Form Submission PDF | CVE 2025-14356 | Plugin Vulnerabilities

Description

The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'uacf7_get_generated_pdf' function in all versions up to, and including, 3.5.33. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate and get form submission PDF, when the "PDF Generator" and the "Database" addons are enabled (disabled by default).

Affects Plugins

ultimate-addons-for-contact-form-7

Fixed in 3.5.34

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/3af9ece0-1556-4457-87ee-343daec5e74f

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

shark3y

Verified

No

WPVDB ID

d05175b6-7777-4c5f-adf6-53c51fc952b5

Timeline

Publicly Published

2025-12-11 (about 5 months ago)

Added

2025-12-11 (about 5 months ago)

Last Updated

2025-12-12 (about 5 months ago)

Other

Published

Title

Published

2023-01-27

Title

Quick Restaurant Menu < 2.1.0 - Subscriber+ Arbitrary Post Deletion/Updating

Published

2024-12-12

Title

WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin < 1.0.28 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Deletion

Published

2026-04-15

Title

Payment Gateway for Redsys & WooCommerce Lite < 7.0.1 - Improper Verification of Cryptographic Signature to Unauthenticated Payment Status Manipulation

Published

2024-04-16

Title

WP-Recall – Registration, Profile, Commerce & More < 16.26.6 - Insecure Direct Object Reference

Published

2026-01-02

Title

Sweet Jane <= 1.2 - Authenticated (Subscriber+) Insecure Direct Object Reference