WordPress Plugin Vulnerabilities

Conditional Fields for Contact Form 7 < 2.4.2 - Missing Authorization

Description

The Conditional Fields for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access to functionality due to a missing capability check on an unknown function in versions up to, and including, 2.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to make use of this function and dismiss notifications intended for admins. There is no security impact.

Affects Plugins

Plugin icon
cf7-conditional-fields
Fixed in 2.4.2

References

CVE
CVE-2023-47838
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/3cfd8b2d-cf2a-439d-9f9a-dbe499b1cd48

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
ca533e68-5c83-4049-8d9f-020d0d8cd9ea

Timeline

Publicly Published
2023-11-16 (about 2 years ago)
Added
2023-11-24 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2024-11-25
Title
Hustle – Email Marketing, Lead Generation, Optins, Popups < 7.8.6 - Missing Authorization to Unpublished Form Exposure
Published
2026-01-24
Title
Wired Impact Volunteer Management < 2.8.1 - Missing Authorization
Published
2023-11-01
Title
Funnelforms Free < 3.4.2 - Missing Authorization to Post Modification
Published
2025-12-12
Title
MediaCommander – Bring Folders to Media, Posts, and Pages < 2.4.0 - Missing Authorization to Authenticated (Author+) Media Folder Deletion
Published
2024-07-05
Title
Business One Page < 1.3.0 - Missing Authorization to Notice Dismissal