CVE-2025-49988

The Contact Form 7 AWeber Extension plugin for WordPress, versions 0.1.40 and earlier, contains a Missing Authorization vulnerability. This flaw allows an attacker to exploit incorrectly configured access control security levels within the plugin, effectively bypassing intended permission checks [1].

Attackers can trigger this vulnerability without requiring any prior authentication or special privileges. The plugin fails to properly verify user capabilities before executing certain functions, making it possible for unauthenticated visitors to perform actions reserved for higher-privileged users [1]. This type of broken access control is particularly dangerous in WordPress environments where plugin functions are often accessible through admin-ajax or direct calls.

A successful exploit could allow an attacker to modify plugin settings, access subscription data, or perform other unauthorized actions within the AWeber integration. While the CVSS score (5.3 Medium) suggests moderate impact, such vulnerabilities are known to be used in mass-exploit campaigns targeting thousands of websites simultaneously [1].

The vulnerability has been patched in version 0.1.43 of the plugin. Users are strongly advised to update immediately or enable auto-updates for vulnerable plugins. If immediate updating is not possible, site administrators should consider temporarily disabling the plugin or consulting with their hosting provider for alternative mitigation steps [1].