The Contact Form vCard Generator plugin for WordPress, developed by ashishajani, suffers from a missing authorization check vulnerability identified as CVE-2025-13717 (CWE-862). This vulnerability exists in all plugin versions up to and including 2.4. The core issue lies in the 'wp_gvccf_check_download_request' function, which lacks a capability check to verify if the requester is authorized to download Contact Form 7 submission data. As a result, an unauthenticated attacker can exploit this flaw by sending a specially crafted request containing the 'wp-gvc-cf-download-id' parameter to export sensitive data stored by the plugin. The exposed data includes personally identifiable information (PII) such as names, phone numbers, email addresses, and message contents submitted through Contact Form 7 forms. The vulnerability can be exploited remotely without any user interaction or authentication, increasing its risk profile. The CVSS v3.1 base score is 5.3, indicating medium severity, with the vector reflecting network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impact limited to confidentiality (C:L) without affecting integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. This vulnerability primarily threatens the confidentiality of sensitive user data collected via Contact Form 7 forms on WordPress sites using this plugin.

The primary impact of CVE-2025-13717 is unauthorized disclosure of sensitive user data collected through Contact Form 7 forms on WordPress sites using the vulnerable Contact Form vCard Generator plugin. This can lead to privacy violations, regulatory non-compliance (e.g., GDPR, CCPA), reputational damage, and potential targeted phishing or social engineering attacks leveraging the exposed personal information. Organizations relying on this plugin risk leaking customer or user contact details, which could be exploited by malicious actors for identity theft or spam campaigns. Although the vulnerability does not affect system integrity or availability, the confidentiality breach alone can have significant consequences, especially for businesses handling sensitive or regulated data. The ease of exploitation without authentication or user interaction increases the likelihood of automated scanning and data harvesting by attackers. This threat is particularly relevant for organizations with public-facing WordPress sites that collect user submissions via Contact Form 7 and use the vulnerable plugin.

To mitigate CVE-2025-13717, organizations should first verify if they are using the Contact Form vCard Generator plugin version 2.4 or earlier. Immediate steps include disabling or uninstalling the plugin if it is not essential. If the plugin is required, monitor the vendor’s official channels for patches or updates addressing this vulnerability and apply them promptly once available. In the absence of an official patch, implement web application firewall (WAF) rules to block or restrict access to requests containing the 'wp-gvc-cf-download-id' parameter from unauthenticated sources. Additionally, restrict access to WordPress admin and plugin-related endpoints via IP whitelisting or authentication mechanisms. Conduct an audit of Contact Form 7 submission data to identify any potential data leakage and notify affected users if necessary. Regularly review and harden WordPress security configurations, including limiting plugin usage to trusted and actively maintained components. Finally, monitor logs for suspicious download attempts targeting the vulnerable function to detect exploitation attempts early.