Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cveWordfenceCVE-2023-6449
HistoryDec 01, 2023 - 11:15 a.m.

CVE-2023-6449

2023-12-0111:15:08
CWE-434
Wordfence
web.nvd.nist.gov
122
cve
2023
6449
contact form 7
wordpress
plugin
arbitrary file uploads
file type validation
security vulnerability
remote code execution
nvd

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

High

EPSS

0.002

Percentile

52.8%

JSON

The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the ‘validate’ function and insufficient blocklisting on the ‘wpcf7_antiscript_file_name’ function in versions up to, and including, 5.8.3. This makes it possible for authenticated attackers with editor-level capabilities or above to upload arbitrary files on the affected site’s server, but due to the htaccess configuration, remote code cannot be executed in most cases. By default, the file will be deleted from the server immediately. However, in some cases, other plugins may make it possible for the file to live on the server longer. This can make remote code execution possible when combined with another vulnerability, such as local file inclusion.

Affected configurations

Nvd
Vulners
Node
rocklobstercontact_form_7Range<5.8.4wordpress
VendorProductVersionCPE
rocklobstercontact_form_7*cpe:2.3:a:rocklobster:contact_form_7:*:*:*:*:*:wordpress:*:*

CNA Affected

[
  {
    "vendor": "takayukister",
    "product": "Contact Form 7",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "5.8.3",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Related

wpvulndb 1
prion 1
nvd 1
cvelist 1
osv 1
wordfence 1
wpvulndb
wpvulndb
Contact Form 7 < 5.8.4 - Authenticated (Editor+) Arbitrary File Upload
2023-12-01 00:00:00
prion
prion
Input validation
2023-12-01 11:15:00
nvd
nvd
CVE-2023-6449
2023-12-01 11:15:08
cvelist
cvelist
CVE-2023-6449
2023-12-01 11:00:06
osv
osv
CVE-2023-6449
2023-12-01 11:15:08
wordfence
wordfence
Wordfence Intelligence Weekly WordPress Vulnerability Report (November 27, 2023 to December 3, 2023)
2023-12-07 14:11:22

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

High

EPSS

0.002

Percentile

52.8%

JSON
Related for CVE-2023-6449
wpvulndb1prion1nvd1cvelist1osv1wordfence1