VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 9 known issues Latest disclosed Apr 08, 2026

Advanced Contact form 7 DB Vulnerabilities

Review known vulnerability records for the WordPress plugin Advanced Contact form 7 DB (`advanced-cf7-db`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-0811, CVE-2026-0814 and CVE-2014-2054, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
9
High or Critical
3
Patch Coverage
100%
Last Updated
Apr 08, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Advanced Contact form 7 DB so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
9 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
1 critical and 2 high severity findings.
Recent CVEs
CVE-2026-0811, CVE-2026-0814 and CVE-2014-2054
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Advanced Contact form 7 DB

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-0811
Advanced CF7 DB <= 2.0.9 - Cross-Site Request Forgery to Form Entry Deletion

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the 'vsz_cf7_save_setting_callback' function. This makes it possible for unauthenti...

Published
Apr 08, 2026
Patched Release
2.1.0
Affected Versions
Versions up to 2.0.9
Next Step
Update to 2.1.0 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2026-0814
Advanced CF7 DB <= 2.0.9 - Missing Authorization to Authenticated (Subscriber+) Form Submissions Excel Export

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vsz_cf7_export_to_excel' function in all versions up to, and including, 2.0.9. This makes it possible for authenticated attackers, with Subsc...

Published
Apr 08, 2026
Patched Release
2.1.0
Affected Versions
Versions up to 2.0.9
Next Step
Update to 2.1.0 or newer if supported.
Open Full Report Open CVE Reference
Plugin Low Patched: Yes CVE-2014-2054
Advanced Contact form 7 DB <= 2.0.8 & Import any XML, CSV or Excel File to WordPress <= 3.8.0 - Use of Vulnerable Component (PHPExcel)

Multiple plugins for WordPress utilize a vulnerable dependency (PHPExcel) in various versions. No vulnerabilities have been confirmed exploitable in either plugin, however, an update is still recommended for both.

Published
Apr 07, 2025
Patched Release
2.0.9
Affected Versions
Versions up to 2.0.8
Next Step
Update to 2.0.9 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-4319
Advanced Contact form 7 DB <= 2.0.2 - Missing Authorization to Unauthenticated Information Disclosure

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vsz_cf7_export_to_excel' function in versions up to, and including, 2.0.2. This makes it possible for unauthenticated attackers to download t...

Published
Jun 10, 2024
Patched Release
2.0.3
Affected Versions
Versions up to 2.0.2
Next Step
Update to 2.0.3 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-3723
Advanced Contact form 7 DB <= 2.0.2 - Sensitive Information Exposure

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.2 via the wp-content/uploads/advanced-cf7-upload directory. This makes it possible for unauthenticated attackers to extract sensitive data...

Published
Jun 10, 2024
Patched Release
2.0.3
Affected Versions
Versions up to 2.0.2
Next Step
Update to 2.0.3 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-29408
Advanced Contact form 7 DB <= 1.8.7 - Stored Cross-Site Scripting

Persistent Cross-Site Scripting (XSS) vulnerability in Vsourz Digital's Advanced Contact form 7 DB plugin

Published
Apr 21, 2022
Patched Release
1.8.8
Affected Versions
Versions up to 1.8.7
Next Step
Update to 1.8.8 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2021-24905
Advanced Contact form 7 DB <= 1.8.6 - Authenticated Arbitrary File Deletion

The Advanced Contact form 7 DB WordPress plugin before 1.8.7 does not have authorisation nor CSRF checks in the acf7_db_edit_scr_file_delete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to delete arbitrary files on the web server. For...

Published
Feb 22, 2022
Patched Release
1.8.7
Affected Versions
Versions before 1.8.7
Next Step
Update to 1.8.7 or newer if supported.
Open Full Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2019-13571
Advanced Contact Form 7 DB <= 1.6.2 - SQL Injection

A SQL injection vulnerability exists in the Vsourz Digital Advanced CF7 DB plugin through 1.6.1 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system. 1.7.0 contained an additional secur...

Published
Sep 22, 2020
Patched Release
1.7.0
Affected Versions
Versions up to 1.6.2
Next Step
Update to 1.7.0 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes
Advanced Contact form 7 DB <= 1.6.0 - SQL Injection

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to SQL Injection via the 'acf7db' shortcode in versions before 1.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible...

Published
Apr 11, 2019
Patched Release
1.6.1
Affected Versions
Versions before 1.6.1
Next Step
Update to 1.6.1 or newer if supported.
Open Full Report