{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12167", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-24T14:19:43.666Z", "datePublished": "2025-11-08T03:27:45.362Z", "dateUpdated": "2026-04-08T16:35:40.392Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:40.392Z"}, "affected": [{"vendor": "rnzo", "product": "Connect Contact Form 7 and AWeber", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.1.42", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Contact Form 7 AWeber Extension plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_aweber_logreset' AJAX endpoint in all versions up to, and including, 0.1.42. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the AWeber logs."}], "title": "Contact Form 7 AWeber Extension <= 0.1.42 - Missing Authorization to Authenticated (Subscriber+) Log Reset", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f4ecda0-1eaa-44e7-8ef5-20c967b5da9f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3390662%40integrate-contact-form-7-and-aweber&new=3390662%40integrate-contact-form-7-and-aweber&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2025-10-29T22:24:38.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-07T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-10T20:11:52.810039Z", "id": "CVE-2025-12167", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-10T20:12:07.256Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12167", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-10T20:11:52.810039Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-10T20:12:03.691Z"}}], "cna": {"title": "Contact Form 7 AWeber Extension <= 0.1.42 - Missing Authorization to Authenticated (Subscriber+) Log Reset", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "rnzo", "product": "Connect Contact Form 7 and AWeber", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.1.42"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-29T22:24:38.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-07T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f4ecda0-1eaa-44e7-8ef5-20c967b5da9f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3390662%40integrate-contact-form-7-and-aweber&new=3390662%40integrate-contact-form-7-and-aweber&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Contact Form 7 AWeber Extension plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_aweber_logreset' AJAX endpoint in all versions up to, and including, 0.1.42. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the AWeber logs."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:40.392Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12167", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:35:40.392Z", "dateReserved": "2025-10-24T14:19:43.666Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-08T03:27:45.362Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Contact Form 7 AWeber Extension plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_aweber_logreset' AJAX endpoint in all versions up to, and including, 0.1.42. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the AWeber logs."}], "id": "CVE-2025-12167", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-08T04:15:44.857", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3390662%40integrate-contact-form-7-and-aweber&new=3390662%40integrate-contact-form-7-and-aweber&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f4ecda0-1eaa-44e7-8ef5-20c967b5da9f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T21:17:33.330016+00:00", "value": {"mitigation_remediation": ["Upgrade the plugin to the latest version (0.1.43 or later) to apply the missing authorization check.", "If an upgrade is pending, temporarily reduce Subscriber role permissions or remove the ability of subscribers to access the AJAX endpoint by editing the plugin code or using a security plugin to block the endpoint for non\u2011admins. ", "Review and adjust user roles, limiting the number of users with Subscriber or higher permissions, and monitor audit logs for unexpected log reset events."], "summary": {"action": "Update plugin", "impact": "Unauthorized data modification and log reset"}, "threat_synthesis": {"affected_systems": "WordPress sites running the plugin Integrate Contact Form 7 and AWeber version 0.1.42 or earlier. The plugin is distributed by rnzo.", "description_and_impact": "The Integrate Contact Form 7 and AWeber plugin contains an AJAX endpoint that resets AWeber logs without verifying the user's role. Because the check is missing, any authenticated user with Subscriber level or higher can trigger a log reset. This lack of authorization (CWE-862) can allow attackers to tamper with integration data and potentially disrupt service availability for the affected WordPress site.", "risk_and_exploitability": "The CVSS score of 4.3 reflects a medium risk, and the EPSS score of less than 1% indicates a low probability of exploitation. The vulnerability requires legitimate authentication and a role of Subscriber or higher, limiting lateral movement to users with those privileges. The plugin is not included in the CISA KEV list, so there is no evidence of widespread exploitation. Nonetheless, site administrators who have many subscriber accounts should consider the potential for internal misuse."}}}}, "created": "2025-11-10T09:33:37.100893+00:00", "updated": "2026-04-22T21:30:27.814394+00:00", "vendors": ["rnzo", "rnzo$PRODUCT$contact_form_7_aweber_extension", "wordpress", "wordpress$PRODUCT$wordpress"]}