Medium severity5.3NVD Advisory· Published Jan 17, 2026· Updated Apr 15, 2026
CVE-2025-12825
CVE-2025-12825
Description
The User Registration Using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_cf7_form_data' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to retrieve form settings which includes Facebook app secrets.
Affected products
1- Range: <=2.5
Patches
Vulnerability mechanics
References
2News mentions
1- U.S. Public Sector Under Siege: Threat Intelligence for Q1 2026Trend Micro Research · Apr 9, 2026