Contact Form 7 PDF Generator Vulnerability

The Contact Form 7 plugin for WordPress is a popular add-on used to generate custom forms and convert them into downloadable PDFs. This vulnerability allows authenticated attackers with Subscriber-level access and above to generate and get form submission PDF, when the "PDF Generator" and the "Database" addons are enabled (disabled by default). This could potentially lead to unauthorized access to sensitive employee data, payroll information, or system configuration.

You're affected if you use Ultra Addons for Contact Form 7. Specific version info not stated in the advisory.

1. Upgrade to Contact Form 7 version 5.3 or later from the WordPress Plugin Directory (https://wordpress.org/plugins/contact-form-7/) or your hosting provider's repository.
2. Immediate mitigations:
   • Restrict network access to your WordPress installation (firewall it from the public internet)
   • Audit admin account activity for suspicious access patterns
   • Monitor for unauthorized token creation

• plugins.trac.wordpress.org
• plugins.trac.wordpress.org
• plugins.trac.wordpress.org
• plugins.trac.wordpress.org
• plugins.trac.wordpress.org
• www.wordfence.com