WordPress Plugin Vulnerabilities

Jquery Validation For Contact Form 7 < 5.3 - Arbitrary Options Update via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change Blog options like default_role, users_can_register via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
jquery-validation-for-contact-form-7
Fixed in 5.3

References

CVE
CVE-2022-2144

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.1 (high)

Miscellaneous

Original Researcher
Gibran Abdillah
Submitter
Gibran Abdillah
Verified
Yes
WPVDB ID
419054d4-95e8-4f4a-b864-a98b3e18435a

Timeline

Publicly Published
2022-06-27 (about 3 years ago)
Added
2022-06-27 (about 3 years ago)
Last Updated
2023-04-01 (about 2 years ago)

Other

Published
Title
Published
2025-06-05
Title
WP Page Loading < 1.0.7 - Cross-Site Request Forgery
Published
2019-04-23
Title
Contact Form Builder <= 1.0.68 - CSRF to LFI
Published
2024-09-25
Title
GiveWP < 3.16.0 - Cross-Site Request Forgery
Published
2023-07-31
Title
MultiParcels Shipping For WooCommerce < 1.15.2 - Arbitrary Shipment Deletion via CSRF
Published
2024-03-15
Title
Builder for WooCommerce reviews shortcodes – ReviewShort < 1.01.4 - Cross-Site Request Forgery