Simple Basic Contact Form < 20240511 – Unauthenticated Arbitrary Shortcode Execution | CVE 2024-4144 | Plugin Vulnerabilities

Description

The Simple Basic Contact Form plugin for WordPress for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 20240502. This allows unauthenticated attackers to execute arbitrary shortcodes. The severity and exploitability depends on the functionality of other plugins installed in the environment.

Affects Plugins

simple-basic-contact-form

Fixed in 20240511

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ded1944f-662d-4d25-8277-4b1dc63b2144

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

stealthcopter

Verified

No

WPVDB ID

8a9a2d91-12b7-4db7-b224-61e0b6df3e42

Timeline

Publicly Published

2024-05-13 (about 2 years ago)

Added

2024-05-13 (about 2 years ago)

Last Updated

2024-05-13 (about 2 years ago)

Other

Published

Title

Published

2016-08-02

Title

wSecure Lite <= 2.3 - Remote Code Execution (RCE)

Published

2024-10-09

Title

External featured image from bing <= 1.0.2 - Authenticated (Subscriber+) Remote Code Execution

Published

2025-01-06

Title

Post Saint: ChatGPT, GPT4, DALL-E, Stable Diffusion, Pexels, Dezgo AI Text & Image Generator <= 1.3.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload

Published

2025-04-03

Title

TagDiv Composer < 5.4 - Unauthenticated Arbitrary PHP Object Instantiation

Published

2025-02-07

Title

WP All Export Pro < 1.9.2 - Unauthenticated Remote Code Execution via Custom Export Fields