WordPress Plugin Vulnerabilities

CF7 Reply Manager <= 1.2.3 - Authenticated (Subscriber+) Arbitrary File Upload

Description

The CF7 Reply Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.2.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
cf7-reply-manager
No known fix

References

CVE
CVE-2024-52404
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/68366105-996c-4069-978c-c6ff222acd55

Miscellaneous

Original Researcher
stealthcopter
Verified
No
WPVDB ID
95123dc0-3958-47db-82e7-ac5acb9c3008

Timeline

Publicly Published
2024-11-13 (about 1 year ago)
Added
2024-11-21 (about 1 year ago)
Last Updated
2024-11-21 (about 1 year ago)

Other

Published
Title
Published
2025-11-10
Title
Astra Security Suite <= 0.2 - Unauthenticated Arbitrary File Upload
Published
2014-08-01
Title
D&elion - Arbitry File Upload
Published
2024-10-25
Title
Ajar in5 Embed < 3.1.4 - Unauthenticated Arbitrary File Upload
Published
2022-11-21
Title
User Registration < 2.2.4.1 - Subscriber+ Arbitrary File Upload
Published
2025-05-09
Title
StoreKeeper for WooCommerce < 14.4.5 - Unauthenticated Arbitrary File Upload