Which Ultra Addons for Contact Form 7 CVEs are tracked?

Ultra Addons for Contact Form 7 tracked CVEs include CVE-2022-47586, CVE-2023-1615, CVE-2023-30495, CVE-2025-6212, and CVE-2025-6220.

How many Ultra Addons for Contact Form 7 vulnerabilities have patch guidance?

14 of 14 tracked Ultra Addons for Contact Form 7 records include a published patch path.

Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 14 known issues Latest disclosed Mar 14, 2026

Ultra Addons for Contact Form 7 Vulnerabilities

Review known vulnerability records for the WordPress plugin Ultra Addons for Contact Form 7 (`ultimate-addons-for-contact-form-7`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-32460, CVE-2026-24945 and CVE-2025-14356, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Mar 19, 2026

Priority CVE Quick Links

Fast paths into Ultra Addons for Contact Form 7 CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2022-47586 Critical 3.1.24

CVE-2022-47586 Ultra Addons for Contact Form 7 SQL Injection

Ultimate Addons for Contact Form 7 <= 3.1.23 - Unauthenticated SQL Injection via form_id

CVE-2023-1615 High 3.1.24

CVE-2023-1615 Ultra Addons for Contact Form 7 SQL Injection

Ultimate Addons for Contact Form 7 <= 3.1.23 - Authenticated(Subscriber+) SQL Injection

CVE-2023-30495 High 3.1.24

CVE-2023-30495 Ultra Addons for Contact Form 7 SQL Injection

Ultimate Addons for Contact Form 7 <= 3.1.23 - Authenticated (Subscriber+) SQL Injection via id

CVE-2025-6212 High 3.5.20

CVE-2025-6212 Ultra Addons for Contact Form 7 Stored Cross-Site Scripting

Ultra Addons for Contact Form 7 3.5.11 - 3.5.19 - Unauthenticated Stored Cross-Site Scripting via Database module

CVE-2025-6220 High 3.5.13

CVE-2025-6220 Ultra Addons for Contact Form 7 Remote Code Execution

Ultimate Addons for Contact Form 7 <= 3.5.12 - Authenticated (Administrator+) Arbitrary File Upload via 'save_options'

CVE-2026-32460 Medium 3.5.37

CVE-2026-32460 Ultra Addons for Contact Form 7 Stored Cross-Site Scripting

Ultra Addons for Contact Form 7 <= 3.5.36 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2025-6756 Medium 3.5.22

CVE-2025-6756 Ultra Addons for Contact Form 7 Stored Cross-Site Scripting

Ultra Addons for Contact Form 7 <= 3.5.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via UACF7_CUSTOM_FIELDS Shortcode

CVE-2023-49766 Medium 3.2.1

CVE-2023-49766 Ultra Addons for Contact Form 7 Cross-Site Scripting

Ultimate Addons for Contact Form 7 <= 3.2.0 - Reflected Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Ultra Addons for Contact Form 7 so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

14 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

1 critical and 4 high severity findings.

Recent CVEs

CVE-2026-32460, CVE-2026-24945 and CVE-2025-14356

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-32460 Medium Patch path listed

CVE-2026-32460: Ultra Addons for Contact Form 7 <= 3.5.36 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.36 due to insufficient input sanitization and outp...

Published

Mar 14, 2026

Patch Status

3.5.37

Open CVE-2026-32460 Report

CVE-2026-24945 Medium Patch path listed

CVE-2026-24945: Ultimate Addons for Contact Form 7 <= 3.5.34 - Missing Authorization

The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.5.34. Th...

Published

Dec 13, 2025

Patch Status

3.5.35

Open CVE-2026-24945 Report

CVE-2025-14356 Medium Patch path listed

CVE-2025-14356: Ultra Addons for Contact Form 7 <= 3.5.33 - Missing Authorization to Authenticated (Subscriber+) to Generate Form Submission PDF

The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'uacf7_get_generated_pdf' function in all versi...

Published

Dec 11, 2025

Patch Status

3.5.34

Open CVE-2025-14356 Report

Known Vulnerabilities

Reports for Ultra Addons for Contact Form 7

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-32460

CVE-2026-32460: Ultra Addons for Contact Form 7 <= 3.5.36 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.36 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level ac...

Published

Mar 14, 2026

Patched Release

3.5.37

Affected Versions

Versions up to 3.5.36

Next Step

Update to 3.5.37 or newer if supported.

Open CVE-2026-32460 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-24945

CVE-2026-24945: Ultimate Addons for Contact Form 7 <= 3.5.34 - Missing Authorization

The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.5.34. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Published

Dec 13, 2025

Patched Release

3.5.35

Affected Versions

Versions up to 3.5.34

Next Step

Update to 3.5.35 or newer if supported.

Open CVE-2026-24945 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-14356

CVE-2025-14356: Ultra Addons for Contact Form 7 <= 3.5.33 - Missing Authorization to Authenticated (Subscriber+) to Generate Form Submission PDF

The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'uacf7_get_generated_pdf' function in all versions up to, and including, 3.5.33. This makes it possible for authenticated attackers, with...

Published

Dec 11, 2025

Patched Release

3.5.34

Affected Versions

Versions up to 3.5.33

Next Step

Update to 3.5.34 or newer if supported.

Open CVE-2025-14356 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-6756

CVE-2025-6756: Ultra Addons for Contact Form 7 <= 3.5.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via UACF7_CUSTOM_FIELDS Shortcode

The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's UACF7_CUSTOM_FIELDS shortcode in all versions up to, and including, 3.5.21 due to insufficient input sanitization and output escaping on user supplied attributes...

Published

Jun 30, 2025

Patched Release

3.5.22

Affected Versions

Versions up to 3.5.21

Next Step

Update to 3.5.22 or newer if supported.

Open CVE-2025-6756 Report Open CVE Reference

Plugin High Patched: Yes CVE-2025-6212

CVE-2025-6212: Ultra Addons for Contact Form 7 3.5.11 - 3.5.19 - Unauthenticated Stored Cross-Site Scripting via Database module

The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Database module in versions 3.5.11 to 3.5.19 due to insufficient input sanitization and output escaping. The unfiltered field names are stored alongside the sanitized val...

Published

Jun 25, 2025

Patched Release

3.5.20

Affected Versions

3.5.11 through 3.5.19

Next Step

Update to 3.5.20 or newer if supported.

Open CVE-2025-6212 Report Open CVE Reference

Plugin High Patched: Yes CVE-2025-6220

CVE-2025-6220: Ultimate Addons for Contact Form 7 <= 3.5.12 - Authenticated (Administrator+) Arbitrary File Upload via 'save_options'

The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_options' function in all versions up to, and including, 3.5.12. This makes it possible for authenticated attackers, with Administrator...

Published

Jun 17, 2025

Patched Release

3.5.13

Affected Versions

Versions up to 3.5.12

Next Step

Update to 3.5.13 or newer if supported.

Open CVE-2025-6220 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-49766

CVE-2023-49766: Ultimate Addons for Contact Form 7 <= 3.2.0 - Reflected Cross-Site Scripting

The Ultimate Addons for Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated atta...

Published

Dec 04, 2023

Patched Release

3.2.1

Affected Versions

Versions up to 3.2.0

Next Step

Update to 3.2.1 or newer if supported.

Open CVE-2023-49766 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-47693

CVE-2023-47693: Ultimate Addons for Contact Form 7 <= 3.2.10 - Missing Authorization

The Ultimate Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the uacf7_database_export_csv() function hooked via init in versions up to, and including, 3.2.10. This makes it possible for unauthentica...

Published

Nov 09, 2023

Patched Release

3.2.11

Affected Versions

Versions up to 3.2.10

Next Step

Update to 3.2.11 or newer if supported.

Open CVE-2023-47693 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-30493

CVE-2023-30493: Ultimate Addons for Contact Form 7 <= 3.1.0 - Reflected Cross-Site Scripting via 'page'

The Ultimate Addons for Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page’ parameter in versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated atta...

Published

Aug 28, 2023

Patched Release

3.1.2

Affected Versions

Versions up to 3.1.0

Next Step

Update to 3.1.2 or newer if supported.

Open CVE-2023-30493 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-2803

CVE-2023-2803: Ultimate Addons for Contact Form 7 <= 3.1.28 - Reflected Cross-Site Scripting

The Ultimate Addons for Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in versions up to, and including, 3.1.28 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attack...

Published

Jul 24, 2023

Patched Release

3.1.29

Affected Versions

Versions before 3.1.29

Next Step

Update to 3.1.29 or newer if supported.

Open CVE-2023-2803 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-2802

CVE-2023-2802: Ultimate Addons for Contact Form 7 <= 3.1.28 - Authenticated (Admin+) Stored Cross-Site Scripting

The Ultimate Addons for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings like the 'Redirect URL' field in versions up to, and including, 3.1.28 due to insufficient input sanitization and output escaping. This makes it possible fo...

Published

Jul 24, 2023

Patched Release

3.1.29

Affected Versions

Versions before 3.1.29

Next Step

Update to 3.1.29 or newer if supported.

Open CVE-2023-2802 Report Open CVE Reference

Plugin High Patched: Yes CVE-2023-1615

CVE-2023-1615: Ultimate Addons for Contact Form 7 <= 3.1.23 - Authenticated(Subscriber+) SQL Injection

The Ultimate Addons for Contact Form 7 plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in versions up to, and including, 3.1.23. This makes it possible for authenticated attackers of any authorization level to append additional SQL queries into already...

Published

Jun 08, 2023

Patched Release

3.1.24

Affected Versions

3.1.23 through 3.1.23

Next Step

Update to 3.1.24 or newer if supported.

Open CVE-2023-1615 Report Open CVE Reference