Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler <= 1.7.1 – Unauthenticated Arbitrary Shortcode Execution and Reflected Cross-Site Scripting | CVE 2024-12419 | Plugin Vulnerabilities

Description

The The Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. This functionality is also vulnerable to Reflected Cross-Site Scripting. Version 1.7.0 patched the Reflected XSS issue, however, the arbitrary shortcode execution issue remains.

Affects Plugins

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/5d78ea71-5886-488e-a660-0dc25129a8b6

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Arkadiusz Hydzik

Verified

No

WPVDB ID

42355ae2-dae2-4411-ba3e-e55b86663ea4

Timeline

Publicly Published

2025-01-06 (about 1 year ago)

Added

2025-01-06 (about 1 year ago)

Last Updated

2025-03-13 (about 1 year ago)

Other

Published

Title

Published

2025-03-12

Title

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin < 1.6.8.7 - Unauthenticated Arbitrary Shortcode Execution

Published

2023-09-19

Title

File Manager Pro < 1.8.1 - Admin+ Remote Code Execution

Published

2022-10-28

Title

Api2Cart Bridge Connector < 1.2.0 - Unauthenticated RCE

Published

2026-02-17

Title

Product Addons for Woocommerce – Product Options with Custom Fields < 3.1.1 - Authenticated (Shop Manager+) Code Injection via Conditional Logic 'operator' Parameter

Published

2014-09-27

Title

Advanced Access Manager 2.8.2 - Admin User File Read/Write