Lucene search
WPScanCVELIST:CVE-2021-24905HistoryMar 21, 2022 - 6:55 p.m.
CVE-2021-24905 Advanced Contact form 7 DB < 1.8.7 - Subscriber+ Arbitrary File Deletion
2022-03-2118:55:37
CWE-863
WPScan
www.cve.org
2
wordpress plugin
file deletion
arbitrary access
The Advanced Contact form 7 DB WordPress plugin before 1.8.7 does not have authorisation nor CSRF checks in the acf7_db_edit_scr_file_delete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to delete arbitrary files on the web server. For example, removing the wp-config.php allows attackers to trigger WordPress setup again, gain administrator privileges and execute arbitrary code or display arbitrary content to the users.
CNA Affected
[
{
"product": "Advanced Contact form 7 DB",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.8.7",
"status": "affected",
"version": "1.8.7",
"versionType": "custom"
}
]
}
]Related
patchstack
patchstack
wpvulndb
wpvulndb
Advanced Contact form 7 DB < 1.8.7 - Subscriber+ Arbitrary File Deletion
2022-02-22 00:00:00
prion
prion
Cross site request forgery (csrf)
2022-03-21 19:15:00
nvd
nvd
CVE-2021-24905
2022-03-21 19:15:08
cve
cve
CVE-2021-24905
2022-03-21 19:15:08
wpexploit
wpexploit
Advanced Contact form 7 DB < 1.8.7 - Subscriber+ Arbitrary File Deletion
2022-02-22 00:00:00