Lucene search

WpvulndbWPVDB-ID:230BD59A-8BC3-45CC-B368-8DBE296D85BA

HistoryMay 20, 2024 - 12:00 a.m.

Integration for Contact Form 7 and Salesforce <= <=1.3.9 - Cross-Site Request Forgery

2024-05-2000:00:00

wpscan.com

wordpress

csrf

contact form 7

salesforce

vulnerability

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

6.4 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Description The Integration for Contact Form 7 and Salesforce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, <=1.3.9. This is due to missing or incorrect nonce validation on the settings_page function. This makes it possible for unauthenticated attackers to change the plugin’s settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CPENameOperatorVersion
eq1.4.0

CPE	Name	Operator	Version
		eq	1.4.0

References

www.wordfence.com/threat-intel/vulnerabilities/id/24cad8ef-f0c4-4306-bd8e-4ce59baa424d

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

6.4 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for WPVDB-ID:230BD59A-8BC3-45CC-B368-8DBE296D85BA