WordPress Plugin Vulnerabilities

Admin side data storage for Contact Form 7 <= 1.1.1 - Missing Authorization to Unauthenticated Bookmark Status Alteration

Description

The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the zt_dcfcf_change_bookmark() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to alter bookmark statuses.

Affects Plugins

Plugin icon
admin-side-data-storage-for-contact-form-7
No known fix

References

CVE
CVE-2024-1778
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d74040d0-1fee-4906-af6f-a5d842c42fd4

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
zulu caPWN
Verified
No
WPVDB ID
dabb57fa-c6e4-41f0-bcee-2f622d376cb7

Timeline

Publicly Published
2024-02-22 (about 2 years ago)
Added
2024-02-22 (about 2 years ago)
Last Updated
2024-02-22 (about 2 years ago)

Other

Published
Title
Published
2024-12-10
Title
CM Answers < 3.2.7 - Missing Authorization
Published
2025-04-01
Title
Mobile App Canvas < 3.8.3 - Missing Authorization
Published
2022-09-05
Title
WP Shamsi < 4.2.0 - Subscriber+ Settings Update
Published
2024-04-15
Title
PeproDev Ultimate Invoice < 2.0.2 - Missing Authorisation
Published
2025-03-13
Title
Eco Nature - Environment & Ecology WordPress Theme < 2.1.0 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update