WordPress Plugin Vulnerabilities

Database for CF7 < 1.2.5 - Subscriber+ CF7 DB Entries Deletion

Description

The plugin is vulnerable to unauthorized loss of data due to a missing capability check on the wpcf7db_delete AJAX function, allowing authenticated attackers, with subscriber-level access and above, to delete CF7 Database entries.

Affects Plugins

Plugin icon
database-for-cf7
Fixed in 1.2.5

References

CVE
CVE-2023-49167
URL
https://patchstack.com/database/vulnerability/database-for-cf7/wordpress-database-for-cf7-plugin-1-2-4-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Vladislav Pokrovsky (ΞX.MI)
Verified
Yes
WPVDB ID
f7d89366-d593-40d0-9f67-fe6cf2ccf04a

Timeline

Publicly Published
2023-11-29 (about 2 years ago)
Added
2023-12-08 (about 2 years ago)
Last Updated
2024-02-28 (about 2 years ago)

Other

Published
Title
Published
2025-01-13
Title
Button Block < 1.1.6 - Missing Authorization
Published
2025-12-31
Title
DMCA Protection Badge <= 2.2.0 - Missing Authorization
Published
2026-04-28
Title
Complianz < 7.4.6 - Unauthenticated Private Post Content Disclosure
Published
2024-08-07
Title
Orchid Store < 1.5.7 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Activation
Published
2026-02-18
Title
Simple Membership < 4.7.1 - Unauthenticated Improper Handling of Missing Values