3 matches found
Cross site request forgery (csrf)
The Contact Form Advanced Database WordPress plugin through 1.0.8 does not have any authorisation as well as CSRF checks in its deletecf7data and exportcf7data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The...
CVE-2021-24790
The CVE pertains to the WordPress plugin Contact Form Advanced Database (versions ≤ 1.0.8). The vulnerability arises from missing authorization checks and CSRF protection in two AJAX endpoints, delete_cf7_data and export_cf7_data, which are accessible to any authenticated user (down to subscriber...
Contact Form Advanced Database <= 1.0.8 - Unauthorised AJAX Calls
The plugin does not have any authorisation as well as CSRF checks in its deletecf7data and exportcf7data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The deletecf7data would lead to arbitrary metadata deletion, as well ...