WordPress Plugin Vulnerabilities

Live Preview for Contact Form 7 <= 1.2.0 - Missing Authorization via update_option

Description

The Live Preview for Contact Form 7 plugin for WordPress is vulnerable to unauthorized plugin option update due to a missing capability check on the update_option function in versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with subscriber access or higher, to update the plugin's options.

Affects Plugins

Plugin icon
cf7-live-preview
No known fix

References

CVE
CVE-2023-47830
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/89dbf14f-1cc8-4a66-b3d3-3568cba9a0aa

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
thiennv
Verified
No
WPVDB ID
c4702e95-6a3e-4032-9fd5-586e141276b3

Timeline

Publicly Published
2023-11-16 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2026-03-23
Title
KiviCare – Clinic & Patient Management System (EHR) < 4.0.0 - Missing Authorization
Published
2025-05-29
Title
Responsive Plus < 3.2.1 - Missing Authorization
Published
2025-01-30
Title
Food Menu – Restaurant Menu & Online Ordering for WooCommerce < 5.2.0 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Published
2025-11-05
Title
Tax Service Electronic HDM < 1.2.1 - Unauthenticated Arbitrary SQL Execution
Published
2026-02-26
Title
Magazine Blocks < 1.8.4 - Missing Authorization