Unauthenticated Arbitrary Shortcode Execution Vulnerability in CF7 Popup plugin
CVE-2024-11038

7.3HIGH

Key Information:

Vendor: Wordpress
Status: WPb Popup For Contact Form 7 – Showing The Contact Form 7 Popup On Button Click – Cf7 Popup
Vendor: CVE Published:; 19 November 2024

Summary

The WPB Popup for Contact Form 7 plugin for WordPress is susceptible to a vulnerability allowing unauthenticated attackers to execute arbitrary shortcodes. This is primarily due to inadequate validation of user inputs in the wpb_pcf_fire_contact_form AJAX action, present in all versions up to and including 1.7.5. Successful exploitation of this vulnerability could enable attackers to manipulate the Wordpress site by executing harmful shortcodes, thereby compromising its integrity and security.

Affected Version(s)

WPB Popup for Contact Form 7 – Showing The Contact Form 7 Popup on Button Click – CF7 Popup * <= 1.7.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wpb-popup-for-...

https://wordpress.org/plugins/wpb-popup-for-contact-form-...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 19, 2024
Vulnerability Reserved
Nov 8, 2024

Credit

Arkadiusz Hydzik