CVE-2024-1778

2024-02-2307:15:48

Wordfence

web.nvd.nist.gov

cve-2024-1778

admin data storage

contact form 7

wordpress

vulnerability

missing capability check

unauthorized modification

data alteration

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

AI Score

5.3

Confidence

High

EPSS

Percentile

9.0%

JSON

The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the zt_dcfcf_change_bookmark() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to alter bookmark statuses.

Affected configurations

Vulners

Node

zestardtechnologiesadmin_side_data_storage_for_contact_form_7Range≤1.1.1wordpress

VendorProductVersionCPE
zestardtechnologiesadmin_side_data_storage_for_contact_form_7*cpe:2.3:a:zestardtechnologies:admin_side_data_storage_for_contact_form_7:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
zestardtechnologies	admin_side_data_storage_for_contact_form_7	*	cpe:2.3:a:zestardtechnologies:admin_side_data_storage_for_contact_form_7::::::wordpress::*

CNA Affected

[
  {
    "vendor": "zestardtechnologies",
    "product": "Admin side data storage for Contact Form 7",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.1.1",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]