CVE-2025-13717
BaseFortify
Publication date: 2026-01-09
Last updated on: 2026-01-09
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | contact_form_vcard_generator | to 2.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests for the presence of suspicious parameters such as 'wp-gvc-cf-download-id', 'wp-gvc-cf-download-all', or 'wp-gvc-cf-delete-id' being used without proper authentication. You can inspect web server logs or use network monitoring tools to look for these parameters in GET or POST requests. Additionally, checking for unauthorized access attempts to the plugin's download or delete functionalities is important. For example, you can use commands like 'grep' on your web server logs to find requests containing these parameters: grep -E 'wp-gvc-cf-download-id|wp-gvc-cf-download-all|wp-gvc-cf-delete-id' /path/to/access.log. Also, scanning your WordPress installation for the plugin version (<= 2.4) can help identify if the vulnerable plugin is present. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Updating the Contact Form vCard Generator plugin to a version later than 2.4 where this vulnerability is fixed. 2) If an update is not immediately available, restrict access to the plugin's download and delete functionalities by implementing authentication checks or IP restrictions at the web server or application level. 3) Disable or remove the plugin temporarily to prevent exploitation. 4) Monitor logs for suspicious activity related to the vulnerable parameters and respond accordingly. 5) Review and harden database access permissions to limit potential damage from SQL injection attacks. [1, 3]
Can you explain this vulnerability to me?
CVE-2025-13717 is a vulnerability in the WordPress plugin Contact Form vCard Generator, specifically in the function wp_gvccf_check_download_request. The plugin improperly handles user-supplied input parameters, such as 'wp-gvc-cf-download-id', by directly concatenating them into SQL queries without proper sanitization or parameterization. This leads to SQL injection vulnerabilities, allowing attackers to manipulate database queries. The vulnerability affects operations like downloading or deleting vCards generated from Contact Form 7 submissions, enabling unauthorized access to sensitive data including names, phone numbers, email addresses, and messages. [1, 3]
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to perform SQL injection attacks on the WordPress database used by the Contact Form vCard Generator plugin. As a result, attackers can export sensitive contact form submission data such as names, phone numbers, email addresses, and messages without authorization. They may also be able to delete or modify records in the database, compromising data integrity and confidentiality. [1, 3]