2026-01-09 11:15:34
Wordfence
PUBLISHED
The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wp_gvccf_check_download_request function in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to export sensitive Contact Form 7 submission data via the wp-gvc-cf-download-id parameter, including names, phone numbers, email addresses, and messages.