WordPress Plugin Vulnerabilities

Ultimate Addons for Contact Form 7 < 3.1.24 - Subscriber+ SQL Injection

Description

The plugin does not properly sanitize the 'id' parameter, leading to a SQL Injection vulnerability.

Affects Plugins

Plugin icon
ultimate-addons-for-contact-form-7
Fixed in 3.1.24

References

CVE
CVE-2023-1615
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ultimate-addons-for-contact-form-7/ultimate-addons-for-contact-form-7-3123-authenticatedsubscriber-sql-injection

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Etan Imanol Castro Aldrete
Verified
No
WPVDB ID
c0006c2b-5065-43b4-a76b-405a202b2fc6

Timeline

Publicly Published
2023-06-08 (about 2 years ago)
Added
2023-06-09 (about 2 years ago)
Last Updated
2023-06-09 (about 2 years ago)

Other

Published
Title
Published
2014-08-01
Title
Wp-ImageZoom - zoom.php id Parameter SQL Injection
Published
2025-03-06
Title
School Management System for Wordpress < 93.0.0 - Authenticated (Subscriber+) SQL Injection via 'mj_smgt_show_event_task'
Published
2015-01-15
Title
Feedweb 2.4.1-3.0.6 - SQL Injection
Published
2023-12-27
Title
Fluent Support < 1.7.7 - Authenticated(Administrator+) SQL Injection
Published
2025-09-22
Title
Wp tabber widget <= 4.0 - Authenticated (Contributor+) SQL Injection