Conditional Fields for Contact Form 7 < 2.4.14 – Cross-Site Request Forgery to Plugin Setting Reset | CVE 2024-5804 | Plugin Vulnerabilities

Description

The Conditional Fields for Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.13. This is due to missing or incorrect nonce validation on the wpcf7cf_admin_init function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

cf7-conditional-fields

Fixed in 2.4.14

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/827c5dc2-3195-47d9-9e44-ca2043748eed

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Marco Wotschka

Verified

No

WPVDB ID

53595eb6-6623-49f8-a6c7-66b829dbc61c

Timeline

Publicly Published

2024-07-19 (about 1 year ago)

Added

2024-07-19 (about 1 year ago)

Last Updated

2024-07-20 (about 1 year ago)

Other

Published

Title

Published

2025-12-31

Title

Gmail SMTP <= 1.0.7 - Cross-Site Request Forgery

Published

2025-01-16

Title

Anonymize Links <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2016-12-21

Title

copy-me 1.0.0 - Copy Posts Cross-Site Request Forgery (CSRF)

Published

2024-10-18

Title

Most And Least Read Posts Widget < 2.5.19 - Cross-Site Request Forgery via most_and_least_read_posts_options

Published

2024-08-16

Title

Brave Popup Builder < 0.7.1 - Cross-Site Request Forgery