WordPress Plugin Vulnerabilities

Contact Form 7 Database Addon – CFDB7 < 1.2.7 - Unauthenticated Sensitive Information Exposure

Description

The Contact Form 7 Database Addon – CFDB7 plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.2.6.8 via the cfdb7_before_send_mail function. This can allow unauthenticated attackers to extract sensitive data, such as Personally Identifiable Information, from files uploaded by users.

Affects Plugins

Plugin icon
contact-form-cfdb7
Fixed in 1.2.7

References

CVE
CVE-2024-3870
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/995a6c1d-fb49-4953-9828-f6594ac45fa7

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Tim Coen
Verified
No
WPVDB ID
a58000cd-ea9c-4980-b199-0dd6aa994e2f

Timeline

Publicly Published
2024-04-26 (about 2 years ago)
Added
2024-04-26 (about 2 years ago)
Last Updated
2024-04-26 (about 2 years ago)

Other

Published
Title
Published
2024-08-08
Title
My Custom CSS PHP & ADS <= 3.3 - Unauthenticated Full Path Disclosure
Published
2024-12-23
Title
BookingPress < 1.1.23 - Unauthenticated Export File Download
Published
2022-10-17
Title
WP < 6.0.3 - Email Address Disclosure via wp-mail.php
Published
2024-11-05
Title
Contact Form 7 – Dynamic Text Extension < 4.5.1 - Information Disclosure via Shortcode
Published
2024-08-09
Title
Shared Files < 1.7.29 - Unauthenticated Sensitive Information Exposure