{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12825", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-06T19:06:39.317Z", "datePublished": "2026-01-17T04:34:02.212Z", "dateUpdated": "2026-04-08T17:16:59.140Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:16:59.140Z"}, "affected": [{"vendor": "zealopensource", "product": "User Registration Using Contact Form 7", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The User Registration Using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_cf7_form_data' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to retrieve form settings which includes Facebook app secrets."}], "title": "User Registration Using Contact Form 7 <= 2.5 - Authenticated (Subscriber+) Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b49978c1-9254-4229-8d32-e12896301f3d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3433276%40user-registration-using-contact-form-7&new=3433276%40user-registration-using-contact-form-7&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "timeline": [{"time": "2026-01-16T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T18:34:21.355448Z", "id": "CVE-2025-12825", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T18:34:56.055Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12825", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T18:34:21.355448Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T18:34:27.924Z"}}], "cna": {"title": "User Registration Using Contact Form 7 <= 2.5 - Authenticated (Subscriber+) Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "zealopensource", "product": "User Registration Using Contact Form 7", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-16T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b49978c1-9254-4229-8d32-e12896301f3d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3433276%40user-registration-using-contact-form-7&new=3433276%40user-registration-using-contact-form-7&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The User Registration Using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_cf7_form_data' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to retrieve form settings which includes Facebook app secrets."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-17T04:34:02.212Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12825", "state": "PUBLISHED", "dateUpdated": "2026-01-20T18:34:56.055Z", "dateReserved": "2025-11-06T19:06:39.317Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-17T04:34:02.212Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The User Registration Using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_cf7_form_data' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to retrieve form settings which includes Facebook app secrets."}, {"lang": "es", "value": "El plugin User Registration Using Contact Form 7 para WordPress es vulnerable a acceso no autorizado a datos debido a una comprobaci\u00f3n de capacidad faltante en la funci\u00f3n 'get_cf7_form_data' en todas las versiones hasta la 2.5, inclusive. Esto hace posible que atacantes no autenticados recuperen la configuraci\u00f3n del formulario, lo que incluye secretos de la aplicaci\u00f3n de Facebook."}], "id": "CVE-2025-12825", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-17T05:16:09.070", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3433276%40user-registration-using-contact-form-7&new=3433276%40user-registration-using-contact-form-7&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b49978c1-9254-4229-8d32-e12896301f3d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T23:57:12.075885+00:00", "value": {"mitigation_remediation": ["Update the User Registration Using Contact Form 7 plugin to the latest available version, which resolves the missing capability check.", "If an update is not possible immediately, disable or delete the plugin to remove the exposed endpoint.", "Add a custom code snippet to the theme\u2019s functions.php that blocks unauthenticated requests to the 'get_cf7_form_data' route or implements a role\u2011based check before the plugin\u2019s data is returned."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Information Disclosure"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the User Registration Using Contact Form 7 plugin from the 'zealopensource' vendor, any version 2.5 or lower, are affected. The plugin is commonly used to populate Contact Form 7 forms with user registration data.", "description_and_impact": "The User Registration Using Contact Form 7 plugin for WordPress lacks a capability check in the 'get_cf7_form_data' function for all versions up to 2.5. Because of this missing authorization, any unauthenticated attacker can call the function and receive the full set of form settings, which includes sensitive data such as Facebook application secrets. The vulnerability corresponds to missing authorization (CWE\u2011862). This exposure compromises the confidentiality of application credentials and could enable further compromise of linked services.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and an EPSS of less than 1% suggests exploitation is currently unlikely, though not impossible. The vulnerability can be exploited over the network by any unauthenticated user who can reach the plugin\u2019s 'get_cf7_form_data' endpoint, but the precise location of this endpoint is not detailed in the advisory and is inferred from the plugin\u2019s API exposure. The flaw is not listed in CISA\u2019s KEV catalog, but it remains a valid medium\u2011risk flaw for any affected WordPress installation. An attacker who successfully retrieves the form settings could use the Facebook app secrets to impersonate the site or drain sensitive data from connected services. The flaw is most likely exploitable in publicly accessible sites that host the plugin and lack additional access controls."}}}}, "created": "2026-01-19T09:19:35.988714+00:00", "updated": "2026-04-22T00:00:03.955782+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}