Arbitrary Shortcode Execution in CF7 WOW Styler Plugin for WordPress
CVE-2024-12419

6.5MEDIUM

Key Information:

Vendor
Wordpress
Status
Design For Contact Form 7 Style WordPress Plugin – Cf7 Wow Styler
Vendor
CVE Published:
7 January 2025

Summary

The CF7 WOW Styler plugin for WordPress contains a vulnerability that permits arbitrary shortcode execution due to improper validation of input values. This flaw affects all versions up to and including 1.7.0, allowing unauthenticated attackers to execute potentially harmful shortcodes within the WordPress environment. Although version 1.7.0 addressed associated Reflected Cross-Site Scripting risks, the vulnerability related to arbitrary shortcode execution remains unmitigated, posing significant security risks to users.

Affected Version(s)

Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler * <= 1.6.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/cf7-styler/tag...
https://plugins.trac.wordpress.org/browser/cf7-styler/tag...

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Arkadiusz Hydzik
.