Description

Marc-Alexandre Montpas reported a security issue in the popular WordPress plugin Custom Contact Forms that would allow a user with no administrative privileges to download and modify your database remotely (no authentication required).

Remediation

Upgrade to the latest version of Custom Contact Forms (this problem was fixed in version 5.1.0.4).

References

Critical Vulnerability Disclosed on WordPress Custom Contact Forms Plugin

Related Vulnerabilities

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2014-7848)

WordPress Plugin Really Simple Guest Post Local File Inclusion (1.0.6)

WordPress Plugin Knews Multilingual Newsletters 'ff' Parameter Cross-Site Scripting (1.1.0)

SharePoint Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-2816)

WordPress Plugin PDF Viewer Block for Gutenberg Cross-Site Scripting (1.0)

Severity

High

Classification

CWE-287 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality Missing Update Authentication Bypass