Data Modification Vulnerability in Country State City Dropdown CF7 Plugin for WordPress
CVE-2024-3520

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Country State City Dropdown Cf7
Vendor: CVE Published:; 2 May 2024

What is CVE-2024-3520?

The Country State City Dropdown CF7 plugin for WordPress exposes a critical security flaw due to a missing capability check. This vulnerability affects all versions up to and including 2.7.1, allowing authenticated users with subscriber access and above to modify data unimpeded. Specifically, these users can add new states or cities to the dropdown list, potentially impacting user selection and overall data integrity.

Affected Version(s)

Country State City Dropdown CF7 * <= 2.7.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3068802/coun...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 2, 2024
Vulnerability Reserved
Apr 9, 2024

Credit

Lucio Sá

Wordpress

What is CVE-2024-3520?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit