CVE-2026-0814

Description

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vsz_cf7_export_to_excel' function in all versions up to, and including, 2.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export form submissions to excel file.

PUBLISHED Reserved 2026-01-09 | Published 2026-04-08 | Updated 2026-04-08 | Assigner Wordfence

Problem types

CWE-862 Missing Authorization

Product status

Timeline

Credits

Kai Aizen finder

References

www.wordfence.com/...-a534-475b-9138-2337755b0288?source=cve

plugins.trac.wordpress.org/...lass-advanced-cf7-db-admin.php

plugins.trac.wordpress.org/changeset/3497481/advanced-cf7-db

cve.org (CVE-2026-0814)

nvd.nist.gov (CVE-2026-0814)

Download JSON