Research Plan: CVE-2026-0825 - Unauthenticated Form Data Exfiltration via CSV Export

1. Vulnerability Summary

The Database for Contact Form 7, WPforms, Elementor forms plugin (version <= 1.4.5) contains a missing authorization vulnerability in its CSV export functionality. While the plugin's frontend shortcode properly restricts which form entries a user can view, the underlying CSV export handler (triggered via an init or admin_init hook) fails to perform any capability checks (e.g., current_user_can('manage_options')).

The export process is "protected" only by an export_key. However, this key is intentionally exposed in the public page source code to facilitate frontend export buttons, allowing unauthenticated attackers to obtain the key and download the entire database of form submissions (containing PII like emails and names) for any form.

2. Attack Vector Analysis

• Endpoint: The WordPress frontend (index.php) or admin-post.php.
• Query Parameters:
  • vcf7_export_csv=1 (or similar trigger parameter, inferred from plugin slug/logic)
  • form_id=[ID] (The ID of the Contact Form 7 or WPForms form)
  • vcf7_export_key=[KEY] (The leaked authorization key)
• Authentication: Unauthenticated (No login required).
• Preconditions:
  • The plugin must have stored at least one form submission.
  • A page must exist containing the plugin's shortcode (e.g., [contact-form-7-entries]), which renders the export key in the source.

3. Code Flow

1. Entry Point: The plugin registers a handler on the init hook:
   • add_action('init', 'vcf7_export_entries_handler'); (inferred function name).
2. Identification: The handler checks if a specific GET parameter is present (e.g., $_GET['vcf7_export_csv']).
3. Key Verification: The handler retrieves the form_id and vcf7_export_key from the request. It compares the provided key against the key stored in the database or generated for that form.
4. The Flaw: Crucially, the handler does not call current_user_can() or check is_user_logged_in().
5. Data Sink: If the key matches, the plugin queries the $wpdb->prefix . 'vcf7_container' table (or similar) for all entries matching the form_id.
6. Output: It sets headers (Content-Type: text/csv) and streams the data using fputcsv(), bypassing any user-level filtering logic present in the shortcode rendering.

4. Nonce/Key Acquisition Strategy

The "export key" serves as the pseudo-nonce here. It is exposed via wp_localize_script or printed directly in the shortcode output.

1. Identify Shortcode: The primary shortcode is [contact-form-7-entries].
2. Create Trigger Page:

   wp post create --post_type=page --post_status=publish --post_title="Entries" --post_content='[contact-form-7-entries id="FORM_ID_HERE"]'
   

3. Navigate & Extract:
   • Navigate to the page as an unauthenticated user.
   • The plugin localizes data for its frontend script. Search for a global JavaScript object, likely named vcf7_entries_obj or vcf7_ajax_object.
   • Use browser_eval to extract the key:
     browser_eval("window.vcf7_entries_obj?.export_key") (inferred key name).
   • Alternatively, check for a "Download CSV" link in the HTML and parse the vcf7_export_key parameter from its href.

5. Exploitation Strategy

1. Target Identification: Determine the ID of a form that has submissions.
2. Key Extraction:
   • Create a public page with the shortcode for that form ID.
   • Use browser_navigate to visit the page.
   • Use browser_eval to extract the vcf7_export_key.
3. Data Exfiltration:
   • Construct an unauthenticated HTTP GET request to the site root with the exfiltrated key.
   • Request Details:
     • Method: GET
     • URL: http://localhost:8080/?vcf7_export_csv=1&form_id=[ID]&vcf7_export_key=[EXTRACTED_KEY] (parameters inferred).
4. Execution: Use http_request to fetch the CSV.

6. Test Data Setup

1. Install Dependencies: Ensure contact-form-7 is installed and active.
2. Create Form:

   wp eval 'if(!get_posts(array("title"=>"Target Form","post_type"=>"wpcf7_contact_form"))){ $id = wp_insert_post(array("post_title"=>"Target Form","post_type"=>"wpcf7_contact_form","post_status"=>"publish")); }'
   

3. Create Entries: Manually insert dummy PII into the plugin's database table to ensure there is data to export.

   # Inferred table name based on plugin slug 'contact-form-entries'
   wp db query "INSERT INTO wp_vcf7_container (form_id, form_data, created_at) VALUES (1, '{\"your-name\":\"Attacker\",\"your-email\":\"victim@example.com\",\"subject\":\"Secret\",\"message\":\"Sensitive Info\"}', NOW())"
   

4. Publish Shortcode:

   wp post create --post_type=page --post_status=publish --post_content='[contact-form-7-entries id="1"]'
   

7. Expected Results

• The extraction step should return a string (the export key).
• The HTTP request to the export endpoint should return an HTTP 200 OK response.
• The response headers should contain Content-Type: text/csv or application/octet-stream.
• The response body should contain the PII data inserted in the setup phase (e.g., victim@example.com).

8. Verification Steps

1. Check Response Content: Verify the presence of the CSV header and the dummy data in the response from http_request.
2. Verify Unauthenticated Status: Ensure the http_request tool is used without passing any WordPress session cookies.
3. Compare with Admin Export: Run wp vcf7-entries export [ID] (if CLI exists) or check the database to confirm the downloaded CSV matches the internal records.

9. Alternative Approaches

• Parameter Guessing: If the parameter is not vcf7_export_csv, check the source for other $_GET keys in contact-form-entries.php.
• Shortcode Variants: Try [vcf7-get-entries] or [cf7-db-entries] if the standard one fails.
• Admin-Ajax/Admin-Post: If the init hook is not used, check if the export is registered as a wp_ajax_nopriv_vcf7_export action. If so, the request goes to /wp-admin/admin-ajax.php?action=vcf7_export.