{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13717", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-25T21:54:45.575Z", "datePublished": "2026-01-09T11:15:34.501Z", "dateUpdated": "2026-04-08T17:19:03.200Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:19:03.200Z"}, "affected": [{"vendor": "ashishajani", "product": "Contact Form vCard Generator", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wp_gvccf_check_download_request' function in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to export sensitive Contact Form 7 submission data via the 'wp-gvc-cf-download-id' parameter, including names, phone numbers, email addresses, and messages."}], "title": "Contact Form vCard Generator <= 2.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'wp-gvc-cf-download-id' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bdde4399-af90-4528-92a4-5176dfa5e453?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/trunk/includes/wp-gvc-cf-settings.php#L13"}, {"url": "https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/tags/2.4/includes/wp-gvc-cf-settings.php#L13"}, {"url": "https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/trunk/includes/wp-gvc-cf-settings.php#L105"}, {"url": "https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/tags/2.4/includes/wp-gvc-cf-settings.php#L105"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Sopon Tangpathum (SoNaJaa)"}], "timeline": [{"time": "2026-01-08T21:36:46.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-09T17:43:47.192497Z", "id": "CVE-2025-13717", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T17:44:09.501Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13717", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-09T17:43:47.192497Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T17:44:03.397Z"}}], "cna": {"title": "Contact Form vCard Generator <= 2.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'wp-gvc-cf-download-id' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Sopon Tangpathum (SoNaJaa)"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "ashishajani", "product": "Contact Form vCard Generator", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-08T21:36:46.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bdde4399-af90-4528-92a4-5176dfa5e453?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/trunk/includes/wp-gvc-cf-settings.php#L13"}, {"url": "https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/tags/2.4/includes/wp-gvc-cf-settings.php#L13"}, {"url": "https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/trunk/includes/wp-gvc-cf-settings.php#L105"}, {"url": "https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/tags/2.4/includes/wp-gvc-cf-settings.php#L105"}], "descriptions": [{"lang": "en", "value": "The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wp_gvccf_check_download_request' function in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to export sensitive Contact Form 7 submission data via the 'wp-gvc-cf-download-id' parameter, including names, phone numbers, email addresses, and messages."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-09T11:15:34.501Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13717", "state": "PUBLISHED", "dateUpdated": "2026-01-09T17:44:09.501Z", "dateReserved": "2025-11-25T21:54:45.575Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-09T11:15:34.501Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wp_gvccf_check_download_request' function in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to export sensitive Contact Form 7 submission data via the 'wp-gvc-cf-download-id' parameter, including names, phone numbers, email addresses, and messages."}, {"lang": "es", "value": "El plugin Contact Form vCard Generator para WordPress es vulnerable a acceso no autorizado a datos debido a una comprobaci\u00f3n de capacidad faltante en la funci\u00f3n 'wp_gvccf_check_download_request' en todas las versiones hasta la 2.4, inclusive. Esto hace posible que atacantes no autenticados exporten datos sensibles de env\u00edos de Contact Form 7 a trav\u00e9s del par\u00e1metro 'wp-gvc-cf-download-id', incluyendo nombres, n\u00fameros de tel\u00e9fono, direcciones de correo electr\u00f3nico y mensajes."}], "id": "CVE-2025-13717", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-09T12:15:51.740", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/tags/2.4/includes/wp-gvc-cf-settings.php#L105"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/tags/2.4/includes/wp-gvc-cf-settings.php#L13"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/trunk/includes/wp-gvc-cf-settings.php#L105"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/trunk/includes/wp-gvc-cf-settings.php#L13"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bdde4399-af90-4528-92a4-5176dfa5e453?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T23:59:26.131052+00:00", "value": {"mitigation_remediation": ["Upgrade the Contact Form vCard Generator plugin to the latest version available from the WordPress plugin repository or the vendor site, which should include the missing capability check.", "If an immediate upgrade is not possible, restrict access to the wp-gvc-cf-download-id endpoint by enforcing authentication\u2014e.g., use .htaccess rules or a web\u2011application firewall to block unauthenticated requests.", "If the vCard export feature is unnecessary, disable or remove the plugin entirely, preventing the exposed data export capability from being available."], "summary": {"action": "Patch Immediately", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "All installations of the Contact Form vCard Generator plugin version 2.4 and earlier, distributed by ashishajani for WordPress sites, are affected. The plugin is deployed in every instance that has not been upgraded beyond version 2.4.", "description_and_impact": "The Contact Form vCard Generator plugin for WordPress contains a missing capability check in the wp_gvccf_check_download_request function. This flaw allows unauthenticated users to trigger the wp-gvc-cf-download-id parameter and exfiltrate Contact Form 7 submissions, including names, phone numbers, email addresses, and messages. The vulnerability directly compromises the confidentiality of user\u2011submitted data.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium impact, while the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this weakness by sending unauthenticated HTTP requests that include a wp-gvc-cf-download-id parameter to the plugin\u2019s endpoint, allowing widespread data extraction without requiring any credentials."}}}}, "created": "2026-01-09T13:23:40.221186+00:00", "updated": "2026-04-22T00:00:03.959121+00:00", "vendors": ["ashishajani", "ashishajani$PRODUCT$contact_form_vcard_generator", "wordpress", "wordpress$PRODUCT$wordpress"]}