Country State City Dropdown CF7 < 2.7.2 – Missing Authorization | CVE 2024-3520 | Plugin Vulnerabilities

Description

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tc_csca_patch_settings function in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with subscriber access and above, to add states or cities to the dropdown.

Affects Plugins

country-state-city-auto-dropdown

Fixed in 2.7.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/08ccd4a3-ea1f-49b3-b4ce-ab1e247e1f76

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lucio Sá

Verified

No

WPVDB ID

bb1b3418-981c-435f-8028-893ddb56aa85

Timeline

Publicly Published

2024-04-15 (about 2 years ago)

Added

2024-04-15 (about 2 years ago)

Last Updated

2024-04-15 (about 2 years ago)

Other

Published

Title

Published

2024-06-06

Title

Leyka < 3.31.2 - Missing Authorization

Published

2024-03-08

Title

EventPrime – Events Calendar, Bookings and Tickets < 3.4.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending

Published

2024-04-04

Title

Classified Listing – Classified ads & Business Directory Plugin < 3.0.5 - Missing Authorization

Published

2024-10-24

Title

WP Booking System < 2.0.19.11 - Missing Authorization via wpbs_refresh_calendar_editor

Published

2025-06-26

Title

VG WORT METIS <= 2.0.1 - Missing Authorization