Contact Form 7 – Dynamic Text Extension < 4.2.0 – Insecure Direct Object Reference | CVE 2023-6630 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the CF7_get_custom_field and CF7_get_current_user shortcodes due to missing validation on a user controlled key. This makes it possible for authenticated attackers with contributor access or higher to access arbitrary metadata of any post type, referencing the post by id and the meta by key.

Affects Plugins

contact-form-7-dynamic-text-extension

Fixed in 4.2.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a3f1d836-da32-414f-9f2b-d485c44b2486

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

e57054d1-62fc-4cfc-9588-e4243d06971b

Timeline

Publicly Published

2024-01-10 (about 2 years ago)

Added

2024-01-12 (about 2 years ago)

Last Updated

2024-01-12 (about 2 years ago)

Other

Published

Title

Published

2026-01-05

Title

FS Registration Password < 2.0.1 - Unauthenticated Privilege Escalation via Account Takeover

Published

2024-12-04

Title

AnyWhere Elementor < 1.2.12 - Authenticated (Contributor+) Post Disclosure

Published

2025-02-21

Title

Post Grid and Gutenberg Blocks < 2.3.6 - Unauthenticated Paid Order Creation

Published

2025-03-14

Title

School Management System – WPSchoolPress < 2.2.17 - Teacher+ Privilege Escalation

Published

2024-04-16

Title

WP-Recall – Registration, Profile, Commerce & More < 16.26.6 - Insecure Direct Object Reference