Lucene search

[email protected]NVD:CVE-2023-1615

HistoryJun 09, 2023 - 6:15 a.m.

CVE-2023-1615

2023-06-0906:15:57

[email protected]

web.nvd.nist.gov

wordpress

sql injection

contact form 7

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

8.7

Confidence

High

EPSS

0.002

Percentile

61.1%

JSON

The Ultimate Addons for Contact Form 7 plugin for WordPress is vulnerable to SQL Injection via the ‘id’ parameter in versions up to, and including, 3.1.23. This makes it possible for authenticated attackers of any authorization level to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Affected configurations

Nvd

Node

themeficultimate_addons_for_contact_form_7Range≤3.1.23wordpress

VendorProductVersionCPE
themeficultimate_addons_for_contact_form_7*cpe:2.3:a:themefic:ultimate_addons_for_contact_form_7:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
themefic	ultimate_addons_for_contact_form_7	*	cpe:2.3:a:themefic:ultimate_addons_for_contact_form_7::::::wordpress::*

References

plugins.trac.wordpress.org/browser/ultimate-addons-for-contact-form-7/trunk/addons/database/database.php?rev=2897709#L255

plugins.trac.wordpress.org/changeset/2901676/

wordpress.org/plugins/ultimate-addons-for-contact-form-7/#developers

www.wordfence.com/threat-intel/vulnerabilities/id/817ca119-ddaf-4525-beee-68c4e0aac544?source=cve

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

8.7

Confidence

High

EPSS

0.002

Percentile

61.1%

JSON

Related for NVD:CVE-2023-1615

cvelist1 wpvulndb2 prion1 cve1 wordfence1