cleantalk
Vulnerabilities and Security Researches

Conditional Fields for Contact Form 7, CVE-2024-5804

CVE, Research URL

CVE-2024-5804

Home page URL

Security reports for Conditional Fields for Contact Form 7

Application

Conditional Fields for Contact Form 7

Published on
Jul 20, 2024
Research Description
The Conditional Fields for Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.13. This is due to missing or incorrect nonce validation on the wpcf7cf_admin_init function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 2.4.14.
Status
vulnerable
Previous vulnerability researches
Conditional Fields for Contact Form 7 (CVE-2023-47838) , Jun 10, 2024
Conditional Fields for Contact Form 7 (CVE-2026-25863) , May 06, 2026
Conditional Fields for Contact Form 7 (0bb038577e135241efdec5ee2901e7ead90280e7) , Jun 07, 2024
Conditional Fields for Contact Form 7 (CVE-2024-50412) , Oct 27, 2024
Conditional Fields for Contact Form 7 (CVE-2024-5804) , Jul 20, 2024
New vulnerability
Royal Elementor Addons and Templates (CVE-2026-4803) , May 06, 2026
Royal Elementor Addons and Templates (CVE-2026-5159) , May 06, 2026
NEX-Forms – Ultimate Form Builder – Contact forms and much more (CVE-2026-5063) , May 06, 2026
Loco Translate (CVE-2026-1921) , May 06, 2026
Conditional Fields for Contact Form 7 (CVE-2026-25863) , May 06, 2026