WordPress Plugin Vulnerabilities

Contact form 7 Custom validation <= 1.1.3 - Unauthenticated SQLi

Description

The plugin does not properly sanitise and escape the post parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated uers

Affects Plugins

Plugin icon
cf7-field-validation
No known fix

References

CVE
CVE-2023-40609

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
minhtuanact
Verified
No
WPVDB ID
1fbc305d-5e3a-4749-b5a6-82dd5d4ebf6a

Timeline

Publicly Published
2023-08-17 (about 2 years ago)
Added
2023-11-16 (about 2 years ago)
Last Updated
2023-11-16 (about 2 years ago)

Other

Published
Title
Published
2025-06-09
Title
TicketBAI Facturas para WooCommerce < 3.21 - Unauthenticated SQL Injection
Published
2025-08-27
Title
JS Archive List < 6.1.6 - Unauthenticated SQL Injection
Published
2025-02-14
Title
WP Project Manager < 2.6.18 - Authenticated (Subscriber+) SQL Injection via orderby Parameter
Published
2017-08-07
Title
Easy Modal < 2.1.0 - Authenticated SQL Injection
Published
2026-03-26
Title
Simply Schedule Appointments < 1.6.9.29 - Authenticated (Contributor+) SQL Injection