Lucene search

[email protected]CVE-2023-6449

HistoryDec 01, 2023 - 11:15 a.m.

CVE-2023-6449

2023-12-0111:15:08

CWE-434

[email protected]

web.nvd.nist.gov

115

cve

2023

6449

contact form 7

wordpress

plugin

arbitrary file uploads

file type validation

security vulnerability

remote code execution

nvd

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.9%

JSON

The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the ‘validate’ function and insufficient blocklisting on the ‘wpcf7_antiscript_file_name’ function in versions up to, and including, 5.8.3. This makes it possible for authenticated attackers with editor-level capabilities or above to upload arbitrary files on the affected site’s server, but due to the htaccess configuration, remote code cannot be executed in most cases. By default, the file will be deleted from the server immediately. However, in some cases, other plugins may make it possible for the file to live on the server longer. This can make remote code execution possible when combined with another vulnerability, such as local file inclusion.

Affected configurations

Vulners

NVD

Node

takayukistercontact_form_7Range≤5.8.3

CPENameOperatorVersion
rocklobster:contact_form_7rocklobster contact form 7lt5.8.4

CPE	Name	Operator	Version
rocklobster:contact_form_7	rocklobster contact form 7	lt	5.8.4

CNA Affected

[
  {
    "vendor": "takayukister",
    "product": "Contact Form 7",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "5.8.3",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]