Lucene search

WpvulndbWPVDB-ID:1E8CAD19-A202-4C08-AD25-54ED1EDA3474

HistoryJun 07, 2024 - 12:00 a.m.

CF7 Google Sheets Connector < 5.0.10 - Missing Authorization to Limited Site Configuration Update

2024-06-0700:00:00

wpscan.com

cf7

google sheets connector

wordpress

vulnerability

unauthorized

data modification

authorization

site configuration

unauthenticated

attackers

wp_debug

wp_debug_log

script_debug

savequeries

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

6.5

Confidence

Low

JSON

Description The CF7 Google Sheets Connector plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘execute_post_data_cg7_free’ function in all versions up to, and including, 5.0.9. This makes it possible for unauthenticated attackers to toggle site configuration settings, including WP_DEBUG, WP_DEBUG_LOG, SCRIPT_DEBUG, and SAVEQUERIES.

References

www.wordfence.com/threat-intel/vulnerabilities/id/c0da4d55-5025-47cf-9f45-377d8943fc94

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

6.5

Confidence

Low

JSON

Related for WPVDB-ID:1E8CAD19-A202-4C08-AD25-54ED1EDA3474