Cross-Site Scripting Vulnerabilities in Contact Form DB Plugin for WordPress
CVE-2014-7139

Currently unrated

Key Information:

Vendor: Wordpress
Status: Contact Form Db
Vendor: CVE Published:; 10 October 2014

Summary

The Contact Form DB plugin for WordPress, specifically versions preceding 2.8.16, is prone to multiple cross-site scripting (XSS) vulnerabilities. Attackers can exploit these weaknesses by injecting arbitrary web scripts or HTML through manipulated parameters in the CF7DBPluginShortCodeBuilder page. By targeting the 'form' or 'enc' parameters on wp-admin/admin.php, unauthorized users can potentially execute malicious scripts in the context of an authenticated user's session, compromising site integrity and user data.

References

http://packetstormsecurity.com/files/128625/WordPress-Con...

x_refsource_MISC

https://wordpress.org/plugins/contact-form-7-to-database-...

x_refsource_CONFIRM

http://www.securityfocus.com/archive/1/533642/100/0/threaded

mailing-listx_refsource_BUGTRAQ

Timeline

Vulnerability published
Oct 10, 2014
Vulnerability Reserved
Sep 22, 2014