CVE-2025-13717
📋 TL;DR
This vulnerability allows unauthenticated attackers to export sensitive Contact Form 7 submission data from WordPress sites using the Contact Form vCard Generator plugin. Attackers can access names, phone numbers, email addresses, and messages without authentication. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Contact Form vCard Generator WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete exposure of all contact form submissions containing PII and sensitive communications, leading to data breaches, privacy violations, and potential identity theft or phishing campaigns.
Likely Case
Unauthorized access to contact form data containing personal information, enabling spam, targeted phishing, or data harvesting.
If Mitigated
Limited exposure if plugin is disabled or removed, though historical data may already be compromised.
🎯 Exploit Status
Exploitation requires sending crafted HTTP requests with the 'wp-gvc-cf-download-id' parameter to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.5 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Contact Form vCard Generator'. 4. Click 'Update Now' if available, or download latest version from WordPress repository. 5. Activate updated plugin.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily deactivate the vulnerable plugin until patched.
wp plugin deactivate contact-form-vcard-generator
Block Vulnerable Endpoint
linuxUse web application firewall or .htaccess to block access to vulnerable function.
# Add to .htaccess: RewriteCond %{QUERY_STRING} wp-gvc-cf-download-id [NC] RewriteRule .* - [F]
🧯 If You Can't Patch
- Disable the Contact Form vCard Generator plugin immediately.
- Remove the plugin entirely and use alternative contact form solutions.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for 'Contact Form vCard Generator' version 2.4 or earlier.Check Version:
wp plugin get contact-form-vcard-generator --field=versionVerify Fix Applied:
Verify plugin version is 2.5 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing 'wp-gvc-cf-download-id' parameter
- Unusual download requests to plugin endpoints from unauthenticated users
Network Indicators:
- GET/POST requests to /wp-admin/admin-ajax.php or plugin-specific URLs with download parameters
SIEM Query:
source="web_logs" AND (uri="*wp-gvc-cf-download-id*" OR query="*wp-gvc-cf-download-id*")🔗 References
- https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/tags/2.4/includes/wp-gvc-cf-settings.php#L105
- https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/tags/2.4/includes/wp-gvc-cf-settings.php#L13
- https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/trunk/includes/wp-gvc-cf-settings.php#L105
- https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/trunk/includes/wp-gvc-cf-settings.php#L13
- https://www.wordfence.com/threat-intel/vulnerabilities/id/bdde4399-af90-4528-92a4-5176dfa5e453?source=cve
