Data Modification Vulnerability in Country State City Dropdown CF7 Plugin for WordPress
CVE-2024-3520

4.3MEDIUM

Key Information:

Vendor
Wordpress
Status
Country State City Dropdown Cf7
Vendor
CVE Published:
2 May 2024

Summary

The Country State City Dropdown CF7 plugin for WordPress exposes a critical security flaw due to a missing capability check. This vulnerability affects all versions up to and including 2.7.1, allowing authenticated users with subscriber access and above to modify data unimpeded. Specifically, these users can add new states or cities to the dropdown list, potentially impacting user selection and overall data integrity.

Affected Version(s)

Country State City Dropdown CF7 * <= 2.7.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset/3068802/coun...

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lucio Sá
.