Arbitrary Shortcode Execution Vulnerability in Contact Form & SMTP Plugin by PirateForms for WordPress
CVE-2024-13453

7.3HIGH

Key Information:

Vendor
Smub
Status
Contact Form & Smtp Plugin For WordPress By Pirateforms
Vendor
CVE Published:
30 January 2025

Summary

The Contact Form & SMTP Plugin by PirateForms for WordPress is susceptible to an arbitrary shortcode execution flaw in all versions up to and including 2.6.0. This vulnerability arises from the plugin's failure to adequately validate user input before executing the do_shortcode function. As a consequence, unauthenticated attackers can exploit this weakness, enabling them to run malicious shortcodes, which may compromise the website's security and integrity.

Affected Version(s)

Contact Form & SMTP Plugin for WordPress by PirateForms * <= 2.6.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/pirate-forms/t...
https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Michael Mazzolini
.