Cross-Site Request Forgery Vulnerability in Generate PDF using Contact Form 7 Plugin for WordPress
CVE-2024-6316
8.8HIGH
Key Information:
- Vendor
Wordpress
- Vendor
- CVE Published:
- 9 July 2024
What is CVE-2024-6316?
The Generate PDF using Contact Form 7 plugin for WordPress contains a vulnerability that allows attackers to exploit Cross-Site Request Forgery, leading to arbitrary file uploads. This security flaw arises from inadequate nonce and file type validations within the 'wp_cf7_pdf_dashboard_html_page' function. Consequently, unauthenticated attackers can upload harmful files to the affected site's server, potentially enabling remote code execution if they successfully persuade an administrator to take an action, such as clicking on a crafted link. Users of affected versions should take immediate steps to mitigate this risk.