VYPR
Medium severity5.3NVD Advisory· Published Jan 17, 2026· Updated Apr 15, 2026

CVE-2025-12825

CVE-2025-12825

Description

The User Registration Using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_cf7_form_data' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to retrieve form settings which includes Facebook app secrets.

Affected products

1

Patches

Vulnerability mechanics

References

2

News mentions

1