Search criteria
10 vulnerabilities by rocklobster
CVE-2025-3247 (GCVE-0-2025-3247)
Vulnerability from cvelistv5 – Published: 2025-04-16 05:23 – Updated: 2025-04-16 13:23
VLAI?
Title
Contact Form 7 <= 6.0.5 - Order Replay Vulnerability
Summary
The Contact Form 7 plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 6.0.5 via the 'wpcf7_stripe_skip_spam_check' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order.
Severity ?
5.3 (Medium)
CWE
- CWE-354 - Improper Validation of Integrity Check Value
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| takayukister | Contact Form 7 |
Affected:
* , ≤ 6.0.5
(semver)
|
Credits
Asaf Mozes
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3247",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T13:23:21.654939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T13:23:45.320Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Contact Form 7",
"vendor": "takayukister",
"versions": [
{
"lessThanOrEqual": "6.0.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Asaf Mozes"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Contact Form 7 plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 6.0.5 via the \u0027wpcf7_stripe_skip_spam_check\u0027 function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-354",
"description": "CWE-354 Improper Validation of Integrity Check Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T05:23:00.706Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38257dbf-288e-4028-af65-85f5389888ac?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contact-form-7/tags/6.0.5/modules/stripe/stripe.php#L114"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3270138/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-15T16:56:22.000+00:00",
"value": "Disclosed"
}
],
"title": "Contact Form 7 \u003c= 6.0.5 - Order Replay Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-3247",
"datePublished": "2025-04-16T05:23:00.706Z",
"dateReserved": "2025-04-04T00:06:57.248Z",
"dateUpdated": "2025-04-16T13:23:45.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4704 (GCVE-0-2024-4704)
Vulnerability from cvelistv5 – Published: 2024-06-27 06:00 – Updated: 2024-08-01 20:47
VLAI?
Title
Contact Form 7 < 5.9.5 - Unauthenticated Open Redirect
Summary
The Contact Form 7 WordPress plugin before 5.9.5 has an open redirect that allows an attacker to utilize a false URL and redirect to the URL of their choosing.
Severity ?
6.1 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Contact Form 7 |
Affected:
0 , < 5.9.5
(semver)
|
Credits
William Bastos - cHoR4o
WPScan
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:rocklobster:contact_form_7:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "contact_form_7",
"vendor": "rocklobster",
"versions": [
{
"lessThan": "5.9.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-4704",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-27T13:46:26.464358Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-27T13:49:26.112Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:47:41.750Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/8bdcdb5a-9026-4157-8592-345df8fb1a17/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Contact Form 7",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.9.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "William Bastos - cHoR4o"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Contact Form 7 WordPress plugin before 5.9.5 has an open redirect that allows an attacker to utilize a false URL and redirect to the URL of their choosing."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-27T06:00:04.176Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/8bdcdb5a-9026-4157-8592-345df8fb1a17/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": " Contact Form 7 \u003c 5.9.5 - Unauthenticated Open Redirect",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-4704",
"datePublished": "2024-06-27T06:00:04.176Z",
"dateReserved": "2024-05-09T19:06:53.947Z",
"dateUpdated": "2024-08-01T20:47:41.750Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2242 (GCVE-0-2024-2242)
Vulnerability from cvelistv5 – Published: 2024-03-13 21:32 – Updated: 2024-08-01 19:03
VLAI?
Summary
The Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘active-tab’ parameter in all versions up to, and including, 5.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| takayukister | Contact Form 7 |
Affected:
* , ≤ 5.9
(semver)
|
Credits
Asaf Mozes
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2242",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-14T13:20:36.435085Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:30:16.631Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:03:39.453Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d5bf4972-424a-4470-a0bc-7dcc95378e0e?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3049594/contact-form-7/trunk/admin/edit-contact-form.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Contact Form 7",
"vendor": "takayukister",
"versions": [
{
"lessThanOrEqual": "5.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Asaf Mozes"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u2018active-tab\u2019 parameter in all versions up to, and including, 5.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-13T21:32:56.042Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d5bf4972-424a-4470-a0bc-7dcc95378e0e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3049594/contact-form-7/trunk/admin/edit-contact-form.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-13T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2242",
"datePublished": "2024-03-13T21:32:56.042Z",
"dateReserved": "2024-03-06T22:41:15.679Z",
"dateUpdated": "2024-08-01T19:03:39.453Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6630 (GCVE-0-2023-6630)
Vulnerability from cvelistv5 – Published: 2024-01-11 04:30 – Updated: 2025-06-17 21:09
VLAI?
Summary
The Contact Form 7 – Dynamic Text Extension plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the CF7_get_custom_field and CF7_get_current_user shortcodes due to missing validation on a user controlled key. This makes it possible for authenticated attackers with contributor access or higher to access arbitrary metadata of any post type, referencing the post by id and the meta by key.
Severity ?
4.3 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| sevenspark | Contact Form 7 – Dynamic Text Extension |
Affected:
* , ≤ 4.1.0
(semver)
|
Credits
Francesco Carlucci
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:35:14.820Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a3f1d836-da32-414f-9f2b-d485c44b2486?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3019572%40contact-form-7-dynamic-text-extension%2Ftrunk\u0026old=2968460%40contact-form-7-dynamic-text-extension%2Ftrunk\u0026sfp_email=\u0026sfph_mail=#file4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6630",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-11T17:56:49.856338Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T21:09:13.536Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Contact Form 7 \u2013 Dynamic Text Extension",
"vendor": "sevenspark",
"versions": [
{
"lessThanOrEqual": "4.1.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Carlucci"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Contact Form 7 \u2013 Dynamic Text Extension plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the CF7_get_custom_field and CF7_get_current_user shortcodes due to missing validation on a user controlled key. This makes it possible for authenticated attackers with contributor access or higher to access arbitrary metadata of any post type, referencing the post by id and the meta by key."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-359 Exposure of Private Information (\u0027Privacy Violation\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-11T04:30:47.600Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a3f1d836-da32-414f-9f2b-d485c44b2486?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3019572%40contact-form-7-dynamic-text-extension%2Ftrunk\u0026old=2968460%40contact-form-7-dynamic-text-extension%2Ftrunk\u0026sfp_email=\u0026sfph_mail=#file4"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-01-10T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-6630",
"datePublished": "2024-01-11T04:30:47.600Z",
"dateReserved": "2023-12-08T16:49:16.312Z",
"dateUpdated": "2025-06-17T21:09:13.536Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6449 (GCVE-0-2023-6449)
Vulnerability from cvelistv5 – Published: 2023-12-01 11:00 – Updated: 2024-10-15 17:40
VLAI?
Summary
The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'validate' function and insufficient blocklisting on the 'wpcf7_antiscript_file_name' function in versions up to, and including, 5.8.3. This makes it possible for authenticated attackers with editor-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed in most cases. By default, the file will be deleted from the server immediately. However, in some cases, other plugins may make it possible for the file to live on the server longer. This can make remote code execution possible when combined with another vulnerability, such as local file inclusion.
Severity ?
6.6 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| takayukister | Contact Form 7 |
Affected:
* , ≤ 5.8.3
(semver)
|
Credits
István Márton
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:28:21.814Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5d7fb020-6acb-445e-a46b-bdb5aaf8f2b6?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/contact-form-7/tags/5.8.3/includes/formatting.php#L275"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/rocklobster-in/contact-form-7/compare/v5.8.3...v5.8.4"
},
{
"tags": [
"x_transferred"
],
"url": "https://contactform7.com/2023/11/30/contact-form-7-584/"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3003556/contact-form-7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6449",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T17:15:08.628263Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T17:40:47.707Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Contact Form 7",
"vendor": "takayukister",
"versions": [
{
"lessThanOrEqual": "5.8.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Istv\u00e1n M\u00e1rton"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the \u0027validate\u0027 function and insufficient blocklisting on the \u0027wpcf7_antiscript_file_name\u0027 function in versions up to, and including, 5.8.3. This makes it possible for authenticated attackers with editor-level capabilities or above to upload arbitrary files on the affected site\u0027s server, but due to the htaccess configuration, remote code cannot be executed in most cases. By default, the file will be deleted from the server immediately. However, in some cases, other plugins may make it possible for the file to live on the server longer. This can make remote code execution possible when combined with another vulnerability, such as local file inclusion."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-01T11:00:06.019Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5d7fb020-6acb-445e-a46b-bdb5aaf8f2b6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contact-form-7/tags/5.8.3/includes/formatting.php#L275"
},
{
"url": "https://github.com/rocklobster-in/contact-form-7/compare/v5.8.3...v5.8.4"
},
{
"url": "https://contactform7.com/2023/11/30/contact-form-7-584/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3003556/contact-form-7"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-11-21T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-11-21T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-11-30T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-6449",
"datePublished": "2023-12-01T11:00:06.019Z",
"dateReserved": "2023-11-30T21:43:37.083Z",
"dateUpdated": "2024-10-15T17:40:47.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40609 (GCVE-0-2023-40609)
Vulnerability from cvelistv5 – Published: 2023-11-06 08:15 – Updated: 2024-09-05 14:01
VLAI?
Title
WordPress Contact form 7 Custom validation Plugin <= 1.1.3 is vulnerable to SQL Injection
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aiyaz, maheshpatel Contact form 7 Custom validation allows SQL Injection.This issue affects Contact form 7 Custom validation: from n/a through 1.1.3.
Severity ?
No CVSS data available.
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Aiyaz, maheshpatel | Contact form 7 Custom validation |
Affected:
n/a , ≤ 1.1.3
(custom)
|
Credits
minhtuanact (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:38:50.334Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/cf7-field-validation/wordpress-contact-form-7-custom-validation-plugin-1-1-3-unauth-sql-injection-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40609",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T14:00:42.788849Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T14:01:00.333Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cf7-field-validation",
"product": "Contact form 7 Custom validation",
"vendor": "Aiyaz, maheshpatel",
"versions": [
{
"lessThanOrEqual": "1.1.3",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "minhtuanact (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Aiyaz, maheshpatel Contact form 7 Custom validation allows SQL Injection.\u003cp\u003eThis issue affects Contact form 7 Custom validation: from n/a through 1.1.3.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Aiyaz, maheshpatel Contact form 7 Custom validation allows SQL Injection.This issue affects Contact form 7 Custom validation: from n/a through 1.1.3.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-06T08:15:24.225Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/cf7-field-validation/wordpress-contact-form-7-custom-validation-plugin-1-1-3-unauth-sql-injection-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Contact form 7 Custom validation Plugin \u003c= 1.1.3 is vulnerable to SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-40609",
"datePublished": "2023-11-06T08:15:24.225Z",
"dateReserved": "2023-08-17T10:47:42.478Z",
"dateUpdated": "2024-09-05T14:01:00.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24159 (GCVE-0-2021-24159)
Vulnerability from cvelistv5 – Published: 2021-04-05 18:27 – Updated: 2024-08-03 19:21
VLAI?
Title
Contact Form 7 Style <= 3.1.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Summary
Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a request to inject malicious JavaScript on a site using the Contact Form 7 Style WordPress plugin through 3.1.9. If an attacker successfully tricked a site’s administrator into clicking a link or attachment, then the request could be sent and the CSS settings would be successfully updated to include malicious JavaScript.
Severity ?
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Contact Form 7 Style |
Affected:
3.1.9 , ≤ 3.1.9
(custom)
|
Credits
Chloe Chamberland
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:21:18.633Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/363182f1-9fda-4363-8f6a-be37c4c07aa9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wordfence.com/blog/2021/02/unpatched-vulnerability-50000-wp-sites-must-find-alternative-for-contact-form-7-style/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Contact Form 7 Style",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "3.1.9",
"status": "affected",
"version": "3.1.9",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Chloe Chamberland"
}
],
"descriptions": [
{
"lang": "en",
"value": "Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a request to inject malicious JavaScript on a site using the Contact Form 7 Style WordPress plugin through 3.1.9. If an attacker successfully tricked a site\u2019s administrator into clicking a link or attachment, then the request could be sent and the CSS settings would be successfully updated to include malicious JavaScript."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-05T18:27:43",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/363182f1-9fda-4363-8f6a-be37c4c07aa9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wordfence.com/blog/2021/02/unpatched-vulnerability-50000-wp-sites-must-find-alternative-for-contact-form-7-style/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Contact Form 7 Style \u003c= 3.1.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24159",
"STATE": "PUBLIC",
"TITLE": "Contact Form 7 Style \u003c= 3.1.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Contact Form 7 Style",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.1.9",
"version_value": "3.1.9"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Chloe Chamberland"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a request to inject malicious JavaScript on a site using the Contact Form 7 Style WordPress plugin through 3.1.9. If an attacker successfully tricked a site\u2019s administrator into clicking a link or attachment, then the request could be sent and the CSS settings would be successfully updated to include malicious JavaScript."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/363182f1-9fda-4363-8f6a-be37c4c07aa9",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/363182f1-9fda-4363-8f6a-be37c4c07aa9"
},
{
"name": "https://www.wordfence.com/blog/2021/02/unpatched-vulnerability-50000-wp-sites-must-find-alternative-for-contact-form-7-style/",
"refsource": "MISC",
"url": "https://www.wordfence.com/blog/2021/02/unpatched-vulnerability-50000-wp-sites-must-find-alternative-for-contact-form-7-style/"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24159",
"datePublished": "2021-04-05T18:27:43",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:21:18.633Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-35489 (GCVE-0-2020-35489)
Vulnerability from cvelistv5 – Published: 2020-12-17 18:16 – Updated: 2024-08-04 17:02
VLAI?
Summary
The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:02:08.102Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/contact-form-7/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://contactform7.com/2020/12/17/contact-form-7-532/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/10508"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.jinsonvarghese.com/unrestricted-file-upload-in-contact-form-7/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-17T18:16:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/contact-form-7/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://contactform7.com/2020/12/17/contact-form-7-532/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/10508"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.jinsonvarghese.com/unrestricted-file-upload-in-contact-form-7/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-35489",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/contact-form-7/#developers",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/contact-form-7/#developers"
},
{
"name": "https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload/",
"refsource": "MISC",
"url": "https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload/"
},
{
"name": "https://contactform7.com/2020/12/17/contact-form-7-532/",
"refsource": "MISC",
"url": "https://contactform7.com/2020/12/17/contact-form-7-532/"
},
{
"name": "https://wpscan.com/vulnerability/10508",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/10508"
},
{
"name": "https://www.jinsonvarghese.com/unrestricted-file-upload-in-contact-form-7/",
"refsource": "MISC",
"url": "https://www.jinsonvarghese.com/unrestricted-file-upload-in-contact-form-7/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-35489",
"datePublished": "2020-12-17T18:16:00",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-04T17:02:08.102Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-20979 (GCVE-0-2018-20979)
Vulnerability from cvelistv5 – Published: 2019-08-22 12:36 – Updated: 2024-08-05 12:19
VLAI?
Summary
The contact-form-7 plugin before 5.0.4 for WordPress has privilege escalation because of capability_type mishandling in register_post_type.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:19:26.967Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/contact-form-7/#developers"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The contact-form-7 plugin before 5.0.4 for WordPress has privilege escalation because of capability_type mishandling in register_post_type."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-22T12:36:19",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/contact-form-7/#developers"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-20979",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The contact-form-7 plugin before 5.0.4 for WordPress has privilege escalation because of capability_type mishandling in register_post_type."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/contact-form-7/#developers",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/contact-form-7/#developers"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-20979",
"datePublished": "2019-08-22T12:36:19",
"dateReserved": "2019-08-21T00:00:00",
"dateUpdated": "2024-08-05T12:19:26.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-2265 (GCVE-0-2014-2265)
Vulnerability from cvelistv5 – Published: 2014-03-14 10:00 – Updated: 2024-08-06 10:06
VLAI?
Summary
Rock Lobster Contact Form 7 before 3.7.2 allows remote attackers to bypass the CAPTCHA protection mechanism and submit arbitrary form data by omitting the _wpcf7_captcha_challenge_captcha-719 parameter.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:06:00.271Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://contactform7.com/2014/02/26/contact-form-7-372/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://wordpress.org/plugins/contact-form-7/changelog"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://web.archive.org/web/20140727133642/http://www.hedgehogsecurity.co.uk/2014/02/26/contactform7-vulnerability/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-contact-form-7-security-bypass-3-7-1/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.cvedetails.com/cve/CVE-2014-2265/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-02-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Rock Lobster Contact Form 7 before 3.7.2 allows remote attackers to bypass the CAPTCHA protection mechanism and submit arbitrary form data by omitting the _wpcf7_captcha_challenge_captcha-719 parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-27T12:44:45",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://contactform7.com/2014/02/26/contact-form-7-372/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://wordpress.org/plugins/contact-form-7/changelog"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://web.archive.org/web/20140727133642/http://www.hedgehogsecurity.co.uk/2014/02/26/contactform7-vulnerability/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-contact-form-7-security-bypass-3-7-1/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cvedetails.com/cve/CVE-2014-2265/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2265",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Rock Lobster Contact Form 7 before 3.7.2 allows remote attackers to bypass the CAPTCHA protection mechanism and submit arbitrary form data by omitting the _wpcf7_captcha_challenge_captcha-719 parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://contactform7.com/2014/02/26/contact-form-7-372/",
"refsource": "CONFIRM",
"url": "http://contactform7.com/2014/02/26/contact-form-7-372/"
},
{
"name": "http://wordpress.org/plugins/contact-form-7/changelog",
"refsource": "CONFIRM",
"url": "http://wordpress.org/plugins/contact-form-7/changelog"
},
{
"name": "http://web.archive.org/web/20140727133642/http://www.hedgehogsecurity.co.uk/2014/02/26/contactform7-vulnerability/",
"refsource": "MISC",
"url": "http://web.archive.org/web/20140727133642/http://www.hedgehogsecurity.co.uk/2014/02/26/contactform7-vulnerability/"
},
{
"name": "https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-contact-form-7-security-bypass-3-7-1/",
"refsource": "MISC",
"url": "https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-contact-form-7-security-bypass-3-7-1/"
},
{
"name": "https://www.cvedetails.com/cve/CVE-2014-2265/",
"refsource": "MISC",
"url": "https://www.cvedetails.com/cve/CVE-2014-2265/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-2265",
"datePublished": "2014-03-14T10:00:00",
"dateReserved": "2014-03-04T00:00:00",
"dateUpdated": "2024-08-06T10:06:00.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}