Unauthorized Data Access in Ultra Addons for Contact Form 7 Plugin by WordPress
CVE-2025-14356

4.3MEDIUM

Key Information:

Vendor

WordPress
Status
Ultra Addons For Contact Form 7
Vendor
CVE Published:
12 December 2025

What is CVE-2025-14356?

The Ultra Addons for Contact Form 7 plugin for WordPress presents a vulnerability that allows attackers with Subscriber-level access or higher to access unauthorized data. This issue arises from a missing capability check in the 'uacf7_get_generated_pdf' function. If the 'PDF Generator' and 'Database' addons are enabled, authenticated attackers can exploit this flaw to generate and retrieve PDF documents containing sensitive form submission data. Users should ensure all relevant updates are applied to mitigate potential risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Ultra Addons for Contact Form 7 * <= 3.5.33

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/ultimate-addon...
https://plugins.trac.wordpress.org/browser/ultimate-addon...

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Angus Girvan
JSON
.