Integration for Contact Form 7 HubSpot <=1.3.1 – Cross-Site Request Forgery | CVE 2024-34756 | Plugin Vulnerabilities

Description

The Integration for Contact Form 7 HubSpot plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the settings_page function. This makes it possible for unauthenticated attackers to change the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Fixed in 1.3.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4ce32dcb-3b7b-433e-9add-512dc2f9f2d8

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Joshua Chan

Verified

No

WPVDB ID

8d180f51-7ad9-414c-8856-0b399e94298b

Timeline

Publicly Published

2024-05-14 (about 2 years ago)

Added

2024-05-20 (about 2 years ago)

Last Updated

2024-05-20 (about 2 years ago)

Other

Published

Title

Published

2025-05-02

Title

Advanced Reorder Image Text Slider <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-02-17

Title

Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later < 1.2.27 - Cross-Site Request Forgery to Wishlist Creation/Modification

Published

2025-04-09

Title

CG Scroll To Top <= 3.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2021-02-17

Title

Process Steps Template Designer < 1.3 - CSRF to Stored Cross-Site Scripting (XSS)

Published

2025-12-11

Title

Foxtool All-in-One: Contact chat button, Custom login, Media optimize images < 2.5.3 - Cross-Site Request Forgery to Google OAuth Connection