CVE-2025-14356 – The Ultra Addons for Contact Form 7 WordPress p... (How to Fix)

Q: What is the severity of CVE-2025-14356?

CVE-2025-14356 has a CVSS score of 4.3 (MEDIUM). The Ultra Addons for Contact Form 7 WordPress plugin has an authorization bypass vulnerability that allows authenticated users with Subscriber-level access or higher to generate and access PDFs of form submissions. This occurs when the PDF Generator and Database addons are enabled, though these are disabled by default. Attackers can potentially access sensitive form data submitted by other users.

📋 TL;DR

The Ultra Addons for Contact Form 7 WordPress plugin has an authorization bypass vulnerability that allows authenticated users with Subscriber-level access or higher to generate and access PDFs of form submissions. This occurs when the PDF Generator and Database addons are enabled, though these are disabled by default. Attackers can potentially access sensitive form data submitted by other users.

💻 Affected Systems

Products:

Ultra Addons for Contact Form 7 WordPress plugin

Versions: All versions up to and including 3.5.33

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ✅ No

Notes: Requires both PDF Generator and Database addons to be enabled (disabled by default). Only affects authenticated users with Subscriber-level access or higher.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive personal or business information submitted through contact forms, potentially leading to data breaches, privacy violations, and regulatory compliance issues.

🟠

Likely Case

Unauthorized access to form submission data containing names, email addresses, phone numbers, and potentially other personal information submitted through contact forms.

🟢

If Mitigated

Limited impact if PDF Generator and Database addons remain disabled, or if proper user access controls and monitoring are in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access and specific addons enabled. The vulnerability is straightforward to exploit once conditions are met.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.5.34 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3417590/ultimate-addons-for-contact-form-7

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Ultra Addons for Contact Form 7'. 4. Click 'Update Now' if available, or download latest version from WordPress repository. 5. Activate updated plugin.

🔧 Temporary Workarounds

Disable vulnerable addons

all

Disable the PDF Generator and Database addons in plugin settings

Restrict user registration

all

Limit user registration to prevent unauthorized accounts with Subscriber access

🧯 If You Can't Patch

Disable the PDF Generator and Database addons in plugin settings immediately
Implement strict user access controls and monitor for suspicious PDF generation activities

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins → Ultra Addons for Contact Form 7 version. If version is 3.5.33 or lower and PDF Generator/Database addons are enabled, system is vulnerable.

Check Version:

wp plugin list --name='Ultra Addons for Contact Form 7' --field=version

Verify Fix Applied:

Verify plugin version is 3.5.34 or higher in WordPress admin panel. Test PDF generation functionality with Subscriber-level account to confirm access is properly restricted.

📡 Detection & Monitoring

Log Indicators:

Unusual PDF generation requests from Subscriber-level users
Multiple PDF generation attempts from single user account
PDF access logs showing unauthorized user IDs

Network Indicators:

HTTP requests to PDF generation endpoints from unauthorized user roles
Unusual traffic patterns to PDF-related plugin files

SIEM Query:

source="wordpress.log" AND ("uacf7_get_generated_pdf" OR "pdf-generator.php") AND user_role="subscriber"

📊 Metadata

CVE ID: CVE-2025-14356

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-639

EPSS Score: 0.04% exploit probability (12.1th percentile)

Published: December 12, 2025

Last Updated: December 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14356, you might also want to check these: