cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forwpb-popup-for-contact-form-7 wpb-popup-for-contact-form-7

Direction: ascending
Nov 20, 2024

WPB Popup for Contact Form 7 – Showing The Contact Form 7 Popup on Button Click – CF7 Popup # CVE-2024-11038

CVE, Research URL

CVE-2024-11038

Home page URL

Security reports for WPB Popup for Contact Form 7 – Showing The Contact Form 7 Popup on Button Click – CF7 Popup

Application

WPB Popup for Contact Form 7 – Showing The Contact Form 7 Popup on Button Click – CF7 Popup

Date
Nov 19, 2024
Research Description
The The WPB Popup for Contact Form 7 – Showing The Contact Form 7 Popup on Button Click – CF7 Popup plugin for WordPress is vulnerable to arbitrary shortcode execution via wpb_pcf_fire_contact_form AJAX action in all versions up to, and including, 1.7.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Affected versions
max 1.7.6.
Status
vulnerable