Arbitrary Shortcode Execution in CF7 WOW Styler Plugin for WordPress
CVE-2024-12419

6.5MEDIUM

Key Information:

Vendor: Wordpress
Status: Design For Contact Form 7 Style WordPress Plugin – Cf7 Wow Styler
Vendor: CVE Published:; 7 January 2025

What is CVE-2024-12419?

The CF7 WOW Styler plugin for WordPress contains a vulnerability that permits arbitrary shortcode execution due to improper validation of input values. This flaw affects all versions up to and including 1.7.0, allowing unauthenticated attackers to execute potentially harmful shortcodes within the WordPress environment. Although version 1.7.0 addressed associated Reflected Cross-Site Scripting risks, the vulnerability related to arbitrary shortcode execution remains unmitigated, posing significant security risks to users.

Affected Version(s)

Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler * <= 1.6.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/cf7-styler/tag...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 7, 2025
Vulnerability Reserved
Dec 10, 2024

Credit

Arkadiusz Hydzik