[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fhbx4pQWXGZmt0_JICPRR0KaUHG577qsVIMMoshwHJrI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"source_links":40},"CVE-2026-0814","advanced-cf7-db-missing-authorization-to-authenticated-subscriber-form-submissions-excel-export","Advanced CF7 DB \u003C= 2.0.9 - Missing Authorization to Authenticated (Subscriber+) Form Submissions Excel Export","The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vsz_cf7_export_to_excel' function in all versions up to, and including, 2.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export form submissions to excel file.","advanced-cf7-db",null,"\u003C=2.0.9","2.1.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Missing Authorization","2026-04-08 05:13:06","2026-04-08 17:25:52",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5e3de1a4-a534-475b-9138-2337755b0288?source=api-prod",1,[22,23,24,25,26,27,28],"README.txt","admin\u002Fclass-advanced-cf7-db-admin.php","admin\u002Fpartials\u002Fcontact_form_listing.php","admin\u002Fpartials\u002Fimport_cf7_csv.php","admin\u002Fpartials\u002Fimport_cf7_entry.class.php","advanced-cf7-db.php","includes\u002Fvsz-cf7-db-function.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-0814 - Advanced CF7 DB Export Authorization Bypass\n\n## 1. Vulnerability Summary\nThe **Advanced Contact Form 7 DB** plugin (up to 2.0.9) contains a missing authorization vulnerability in the `vsz_cf7_export_to_excel` function. This function handles the logic for exporting form submissions into Excel format. While the plugin implements some capability checks for its admin menu pages, the specific function responsible for triggering the export lacks a `current_user_can()` check. Consequently, any authenticated user, including those with **Subscriber-level** permissions, can trigger the export process by sending a crafted request to the WordPress admin dashboard, leading to unauthorized data disclosure.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin.php` (or any admin page like `index.php`, as the handler is likely hooked to `admin_init`).\n- **Trigger Parameter**: `vsz_cf7_export_excel` (based on the `name` attribute of the submit button in `contact_form_listing.php`).\n- **Required Parameters**:\n    - `cf7_id`: The ID of the Contact Form 7 to export.\n    - `vsz_cf7_export_excel`: Set to `1` or the button label `Export Excel`.\n    - `_wpnonce`: (Potentially required) The nonce for the action `vsz-cf7-action-nonce`.\n- **Authentication**: Authenticated (Subscriber+).\n- **Vulnerable Function**: `vsz_cf7_export_to_excel` (likely located in `admin\u002Fclass-advanced-cf7-db-admin.php`).\n\n## 3. Code Flow\n1. **Request Reception**: An authenticated user sends a GET or POST request to `\u002Fwp-admin\u002F` containing `vsz_cf7_export_excel=1` and a valid `cf7_id`.\n2. **Hook Execution**: The WordPress `admin_init` hook fires. The plugin registers `vsz_cf7_export_to_excel` to this hook (or a similar early-stage admin hook).\n3. **Missing Check**: The function `vsz_cf7_export_to_excel` checks for the presence of the `vsz_cf7_export_excel` parameter but fails to verify if the current user has the `manage_options` capability or specific form view capabilities (`cf7_db_form_view_[ID]`).\n4. **Data Retrieval**: The function retrieves all entries for the specified `cf7_id` from the database table (stored in `VSZ_CF7_DATA_ENTRY_TABLE_NAME`).\n5. **Response Generation**: The plugin uses `PhpOffice\\PhpSpreadsheet` to generate an `.xlsx` or `.xls` file and streams it to the user with appropriate headers (`Content-Type: application\u002Fvnd.ms-excel`).\n\n## 4. Nonce Acquisition Strategy\nThe nonce `vsz-cf7-action-nonce` is generated in `admin\u002Fpartials\u002Fcontact_form_listing.php`. If the function verifies this nonce, a Subscriber must obtain it.\n\n1. **Check Common Exposure**: Plugins often expose nonces via `wp_localize_script`. Check the source of `\u002Fwp-admin\u002Fprofile.php` for a global JS variable (likely named `vsz_cf7_db_admin_obj` or similar).\n2. **Shortcode Method**: The plugin uses shortcodes to display data. If a shortcode is placed on a page, it might enqueue scripts containing the nonce.\n    - Check for shortcode registration: `grep -r \"add_shortcode\" .`\n    - Create a page with the shortcode: `wp post create --post_content='[cf7-db-display-ip]' ...` (example from README).\n3. **Browser Extraction**:\n    - Navigate to `\u002Fwp-admin\u002Fprofile.php`.\n    - Use `browser_eval` to search for the nonce: `browser_eval(\"window.vsz_cf7_db_admin_obj?.nonce || document.body.innerHTML.match(\u002Fvsz-cf7-action-nonce\u002F)\")`.\n\n*Note: In `admin\u002Fpartials\u002Fcontact_form_listing.php`, the code `if(!wp_verify_nonce( $nonce, 'vsz-cf7-action-nonce'))` appears to verify a nonce against itself immediately after creation, suggesting the developer may have implemented nonce checks incorrectly or not at all in the actual export handler.*\n\n## 5. Exploitation Strategy\n### Step 1: Identify a valid Form ID\nUse WP-CLI to find an existing Contact Form 7 ID.\n`wp post list --post_type=wpcf7_contact_form --format=ids`\n\n### Step 2: Trigger Export\nAs a Subscriber, attempt to download the Excel file.\n\n**Request:**\n```http\nGET \u002Fwp-admin\u002Fadmin.php?vsz_cf7_export_excel=1&cf7_id=TARGET_FID HTTP\u002F1.1\nHost: localhost\nCookie: [Subscriber Cookies]\n```\n\nIf the above fails with a 403 or redirect, try providing the nonce (if found):\n```http\nGET \u002Fwp-admin\u002Fadmin.php?vsz_cf7_export_excel=1&cf7_id=TARGET_FID&_wpnonce=NONCE_VALUE HTTP\u002F1.1\nHost: localhost\nCookie: [Subscriber Cookies]\n```\n\n## 6. Test Data Setup\n1. **Install Dependencies**: Ensure Contact Form 7 and Advanced CF7 DB are active.\n2. **Create Form**: `wp post create --post_type=wpcf7_contact_form --post_title=\"Sensitive Leads\" --post_status=publish`. Let the ID be `123`.\n3. **Inject Data**: Manually insert a row into the database to simulate a form submission.\n   ```bash\n   wp db query \"INSERT INTO wp_cf7_vdata (created) VALUES (NOW());\"\n   DATA_ID=$(wp db query \"SELECT LAST_INSERT_ID();\" --silent --skip-column-names)\n   wp db query \"INSERT INTO wp_cf7_vdata_entry (cf7_id, data_id, name, value) VALUES (123, $DATA_ID, 'your-name', 'Target User');\"\n   wp db query \"INSERT INTO wp_cf7_vdata_entry (cf7_id, data_id, name, value) VALUES (123, $DATA_ID, 'your-email', 'target@example.com');\"\n   ```\n4. **Create Subscriber**: `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`.\n\n## 7. Expected Results\n- The server should respond with `200 OK`.\n- `Content-Disposition` header should contain `attachment;filename=...excel...`.\n- The response body should contain binary spreadsheet data.\n- Parsing the response (or observing file size) should reveal the data injected in Step 6 (\"Target User\").\n\n## 8. Verification Steps\n1. **Confirm Role**: Use `wp user get attacker` to verify the user is only a Subscriber.\n2. **Validate Content**: Save the response body to a file and check if it's a valid ZIP\u002FOffice document:\n   `file download.xlsx`\n3. **Compare Permissions**: Attempt the same request without being","The Advanced Contact Form 7 DB plugin for WordPress lacks authorization and capability checks in its data export handlers. This allows authenticated users, including those with Subscriber-level permissions, to export all Contact Form 7 submissions to CSV or Excel files by providing a valid form ID.","\u002F* admin\u002Fclass-advanced-cf7-db-admin.php lines ~948 (v2.0.9) *\u002F\n\u002F\u002FSetup export functionality here\nif(isset($_POST['btn_export'])){\n    \u002F\u002FGet form ID\n    $fid = (int)sanitize_text_field($_POST['fid']);\n\n    \u002F\u002FGet export id related information\n    $ids_export = ((isset($_POST['del_id']) && !empty($_POST['del_id'])) ? implode(',', array_map('sanitize_text_field',$_POST['del_id'])) : '');\n    $ids_export = ((isset($_POST['del_id']) && !empty($_POST['del_id'])) ? implode(',', array_map('intval',$_POST['del_id'])) : '');\n    \u002F\u002F\u002FGet export type related information\n    $type = sanitize_text_field($_POST['vsz-cf7-export']);\n    \u002F\u002FCheck type name and execute type related CASE\n    switch ($type) {\n        case 'csv':\n            $this->vsz_cf7_export_to_csv($fid, $ids_export);\n            break;\n        case 'excel':\n            $this->vsz_cf7_export_to_excel($fid, $ids_export);\n            break;\n    }\n}\n\n---\n\n\u002F* admin\u002Fclass-advanced-cf7-db-admin.php lines ~1508 (v2.0.9) *\u002F\npublic function vsz_cf7_export_to_excel($fid, $ids_export = ''){\n\tglobal $wpdb;\n\tinclude_once(ABSPATH . 'wp-content\u002Fplugins\u002Fadvanced-cf7-db\u002Fincludes\u002Flibraries\u002Fexcel\u002Fxls\u002Fvendor\u002Fautoload.php');\n\n\t$fid = intval($fid);\n\tif( empty( $fid ) ){\n    \treturn 'You do not have the permission to export the data';\n    }\n    $fields = vsz_cf7_get_db_fields($fid);\n    \u002F\u002F ... logic continues to query database and output file stream ...","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-cf7-db\u002F2.0.9\u002Fadmin\u002Fclass-advanced-cf7-db-admin.php\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-cf7-db\u002F2.1.0\u002Fadmin\u002Fclass-advanced-cf7-db-admin.php\n@@ -948,8 +953,24 @@\n \n \t\t\u002F\u002FSetup export functionality here\n \t\tif(isset($_POST['btn_export'])){\n+\t\t\t\u002F\u002FVerify nonce\n+\t\t\tif(!isset($_POST['_wpnonce']) || empty($_POST['_wpnonce'])){\n+\t\t\t\twp_die(__('Security check failed: Missing nonce.'));\n+\t\t\t}\n+\t\t\t$nonce = isset($_POST['_wpnonce']) ? sanitize_text_field(wp_unslash($_POST['_wpnonce'])) : '';\n+\t\t\tif(!wp_verify_nonce($nonce, 'vsz-cf7-action-nonce')) {\n+\t\t\t\twp_die(__('Security check failed: Invalid nonce.'));\n+\t\t\t}\n+\n \t\t\t\u002F\u002FGet form ID\n-\t\t\t$fid = (int)sanitize_text_field($_POST['fid']);\n+\t\t\t$fid = (int)sanitize_text_field(wp_unslash($_POST['fid']));\n+\n+\t\t\t\u002F\u002FCheck capability - user must have view or edit permission for this form\n+\t\t\t$view_cap = 'cf7_db_form_view_'.$fid;\n+\t\t\t$edit_cap = 'cf7_db_form_edit_'.$fid;\n+\t\t\tif(!cf7_check_capability($view_cap) && !cf7_check_capability($edit_cap)){\n+\t\t\t\twp_die(__('You do not have permission to export this data.'));\n+\t\t\t}\n \n \t\t\t\u002F\u002FGet export id related information\n \t\t\t$ids_export = ((isset($_POST['del_id']) && !empty($_POST['del_id'])) ? implode(',', array_map('sanitize_text_field',$_POST['del_id'])) : '');","1. Authenticate as a Subscriber-level user.\n2. Identify the target Form ID (`cf7_id` or `fid`) of the Contact Form 7 submissions you wish to steal.\n3. Obtain a valid security nonce for the action `vsz-cf7-action-nonce`. This can typically be found in the admin dashboard source code (e.g., on `profile.php`) or leaked via enqueued scripts if the plugin does not properly restrict where the nonce is displayed.\n4. Send a POST request to `\u002Fwp-admin\u002Fadmin.php?page=contact-form-listing` with the following parameters: `btn_export=1`, `fid=[Target FID]`, `vsz-cf7-export=excel` (or `csv`), and `_wpnonce=[Valid Nonce]`.\n5. The server will respond with the binary Excel\u002FCSV data containing all submitted entries for the specified form ID, bypassing any intended administrative restrictions.","gemini-3-flash-preview","2026-04-16 16:31:52","2026-04-16 16:32:42",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","2.0.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-cf7-db\u002Ftags\u002F2.0.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-cf7-db.2.0.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-cf7-db\u002Ftags\u002F2.1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-cf7-db.2.1.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-cf7-db\u002Ftags"]