WordPress Plugin Vulnerabilities

Contact Form to Any API < 1.1.7 - Subscriber+ API Entry Record Deletion

Description

The plugin does not have authorisation check when deleting CF7 API entry records, which could allow any authenticated users, such as subscriber to delete them

Affects Plugins

Plugin icon
contact-form-to-any-api
Fixed in 1.1.7

References

CVE
CVE-2023-47871
URL
https://patchstack.com/database/vulnerability/contact-form-to-any-api/wordpress-contact-form-to-any-api-plugin-1-1-6-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Arvandy
Verified
No
WPVDB ID
cb513c20-d37d-4785-a10a-d8bcafc8456e

Timeline

Publicly Published
2023-11-20 (about 2 years ago)
Added
2023-11-29 (about 2 years ago)
Last Updated
2024-01-01 (about 2 years ago)

Other

Published
Title
Published
2024-12-02
Title
Church Admin < 5.0.9 - Missing Authorization
Published
2023-10-27
Title
Post Meta Data Manager < 1.2.1 - Unauthenticated Data Deletion
Published
2025-11-26
Title
Travelfic Toolkit < 1.3.4 - Missing Authorization
Published
2025-04-22
Title
wProject < 5.8.0 - Missing Authorization to Unauthenticated Content Modification and Deletion
Published
2023-10-03
Title
Optimize Database after Deleting Revisions < 5.1 - Missing Authorization via 'odb_csv_download'