CVE-2025-58016

The CF7 Submissions plugin for WordPress, versions 0.26 and earlier, suffers from a missing authorization (broken access control) vulnerability. The plugin fails to properly enforce access control checks on certain functions, meaning that an attacker can bypass intended permission requirements without needing any authentication or nonce token validation [1].

This issue is classified as a CWE-862 Missing Authorization and is actively used in mass‑exploit campaigns. Attackers scan for vulnerable installations and exploit the missing check to retrieve or manipulate submission data from Contact Form 7 forms. No special network position or privileges are required; the attack can be carried out remotely over HTTP just by targeting the appropriate plugin endpoint [1].

The impact is primarily the exposure of sensitive data submitted through forms (such as personal information, messages, or files). Because the vulnerability does not require elevated privileges, a large number of sites can be compromised in automated attacks, potentially leading to privacy breaches or identity theft. The CVSS v3 base score is 4.3 (Medium), reflecting the low exploit complexity and lack of authentication, though the overall risk is elevated by the ease of mass exploitation [1].

Mitigation is straightforward: users must update the CF7 Submissions plugin to a patched version (0.27 or later). For those unable to update immediately, consulting a hosting provider or developer is advised. No workaround other than disabling the plugin has been documented, so updating is the recommended course of action [1].