CVE-2025-13717

Description

The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wp_gvccf_check_download_request function in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to export sensitive Contact Form 7 submission data via the wp-gvc-cf-download-id parameter, including names, phone numbers, email addresses, and messages.