CVE-2025-13717 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Contact Form vCard Generator WordPress plugin developed by ashishajani. This plugin, widely used to export Contact Form 7 submissions as vCard files, contains a critical flaw in the 'wp_gvccf_check_download_request' function where it fails to perform proper capability checks before processing download requests. Specifically, the plugin does not verify whether the requester is authorized to access the data identified by the 'wp-gvc-cf-download-id' parameter. As a result, unauthenticated attackers can craft HTTP requests to this endpoint and retrieve sensitive submission data including personal identifiers such as names, phone numbers, email addresses, and message contents. The vulnerability affects all versions up to and including 2.4. The CVSS 3.1 base score is 5.3, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network exploitable, low attack complexity, no privileges or user interaction required, unchanged scope, and limited confidentiality impact. No patches or official fixes have been published yet, and no exploits are known in the wild. However, the exposure of personal data can lead to privacy violations and potential GDPR non-compliance. The vulnerability is particularly concerning for websites handling sensitive user submissions, such as customer support or contact forms on corporate or governmental sites.

For European organizations, this vulnerability poses a significant risk to the confidentiality of personal data collected via Contact Form 7 forms on WordPress sites using the vulnerable plugin. Unauthorized data export can lead to exposure of personally identifiable information (PII), potentially resulting in privacy breaches and violations of the EU General Data Protection Regulation (GDPR). Such breaches can incur heavy fines and reputational damage. The vulnerability does not affect data integrity or availability, but the unauthorized disclosure of contact information can facilitate phishing, social engineering, or targeted attacks against affected individuals or organizations. Organizations in sectors such as healthcare, finance, government, and customer service, which often collect sensitive contact data, are particularly at risk. Additionally, the ease of exploitation (no authentication or user interaction required) increases the likelihood of automated scanning and data harvesting by malicious actors. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, especially once exploit code becomes publicly available.

European organizations should take immediate steps to mitigate this vulnerability. First, monitor the plugin vendor’s channels for official patches or updates and apply them promptly once available. Until a patch is released, restrict access to the vulnerable download endpoint by implementing web application firewall (WAF) rules that block or rate-limit requests containing the 'wp-gvc-cf-download-id' parameter from unauthenticated sources. Additionally, review and harden WordPress user roles and permissions to ensure minimal access to sensitive data. Consider disabling or replacing the Contact Form vCard Generator plugin with alternative solutions that enforce proper authorization. Conduct thorough audits of existing Contact Form 7 submissions to identify any potential data leakage. Implement logging and alerting for unusual download activities targeting the vulnerable endpoint. Finally, ensure that data protection officers and compliance teams are informed to assess and report any potential GDPR implications.