Extensions For CF7 < 3.4.1 – Authenticated (Contributor+) Insecure Direct Object Reference | CVE 2026-24991 | Plugin Vulnerabilities

Description

The Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.0 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.

Affects Plugins

extensions-for-cf7

Fixed in 3.4.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/cdcb09ee-80c7-445c-932f-7fce3ae743c5

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Nabil Irawan

Verified

No

WPVDB ID

bd36d4ef-09ba-42a3-9693-6605c0e6a42f

Timeline

Publicly Published

2026-01-23 (about 5 months ago)

Added

2026-02-02 (about 4 months ago)

Last Updated

2026-02-02 (about 4 months ago)

Other

Published

Title

Published

2026-03-14

Title

Wicked Folders < 4.1.1 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Folder Deletion

Published

2022-11-24

Title

WooCommerce Product Vendors < 2.1.69 - Vendor Commission Percentage Update via IDOR

Published

2022-04-21

Title

WPQA < 5.2 - Subscriber+ Private Message Disclosure via IDOR

Published

2025-11-20

Title

ELEX WordPress HelpDesk & Customer Ticketing System < 3.3.0 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'eh_crm_ticket_single_view_client'

Published

2023-02-14

Title

Popup Builder by OptinMonster < 2.12.2 - Subscriber+ Arbitrary Post Content Disclosure