Unauthorized Data Access in Contact Form vCard Generator Plugin for WordPress
CVE-2025-13717

5.3MEDIUM

Key Information:

Vendor

WordPress
Status
Contact Form Vcard Generator
Vendor
CVE Published:
9 January 2026

What is CVE-2025-13717?

The Contact Form vCard Generator plugin for WordPress exhibits a vulnerability that allows unauthorized access to sensitive data. A flaw in the 'wp_gvccf_check_download_request' function, present in all versions up to and including 2.4, bypasses necessary capability checks. This oversight permits unauthenticated attackers to exploit the 'wp-gvc-cf-download-id' parameter, leading to the potential export of sensitive information gathered from Contact Form 7 submissions, including names, phone numbers, email addresses, and user messages.

Affected Version(s)

Contact Form vCard Generator * <= 2.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/contact-form-v...
https://plugins.trac.wordpress.org/browser/contact-form-v...

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Sopon Tangpathum (SoNaJaa)
JSON
.
CVE-2025-13717 : Unauthorized Data Access in Contact Form vCard Generator Plugin for WordPress