WordPress Plugin Vulnerabilities

Ultimate Addons for Contact Form 7 < 3.1.24 - Unauthenticated SQLi

Description

The plugin does not properly sanitise and escape the id and form_id parameters before using them in a SQL statement, leading to a SQL injection exploitable by unauthenticated users

Affects Plugins

Plugin icon
ultimate-addons-for-contact-form-7
Fixed in 3.1.24

References

CVE
CVE-2022-47586

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
minhtuanact
Verified
No
WPVDB ID
0fb4da7c-e9ba-4ddf-b37f-5453603c6399

Timeline

Publicly Published
2023-05-09 (about 3 years ago)
Added
2023-06-19 (about 2 years ago)
Last Updated
2023-06-19 (about 2 years ago)

Other

Published
Title
Published
2024-04-29
Title
Calendar < 1.3.15 - Contributor+ SQLi via Shortcode
Published
2019-08-07
Title
JoomSport <= 3.3 - SQL Injection
Published
2021-09-27
Title
Permalink Manager Lite < 2.2.13.1 - Admin+ SQL Injection
Published
2017-08-14
Title
Link-Library <= 5.9.13.26 – Authenticated SQL Injection
Published
2025-11-24
Title
Bookme <= 4.2 - Authenticated (Admin+) SQL Injection via 'filter[status]' Parameter