CVE-2024-5804

Cross-Site Request Forgery (CSRF) (CWE-352)

Published: Jul 20, 2024 / Updated: 4mo ago

010
CVSS 4.3EPSS 0.05%Medium
CVE info copied to clipboard

Summary

The Conditional Fields for Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.13. This vulnerability is due to missing or incorrect nonce validation on the wpcf7cf_admin_init function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request, provided they can trick a site administrator into performing an action such as clicking on a link.

Impact

The impact of this vulnerability is primarily on the integrity of the plugin's settings. An attacker could potentially reset the plugin's configuration, which could disrupt the functionality of contact forms on the affected WordPress site. While the confidentiality of data is not directly compromised, and there's no direct impact on system availability, the manipulation of settings could indirectly affect the usability of the website's contact forms. The attack requires user interaction, specifically from a site administrator, which somewhat limits its scope but also targets users with high privileges.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability affects versions up to and including 2.4.13 of the Conditional Fields for Contact Form 7 plugin. Website administrators should update to a version newer than 2.4.13 to mitigate this vulnerability.

Mitigation

1. Update the Conditional Fields for Contact Form 7 plugin to a version newer than 2.4.13. 2. Educate site administrators about the risks of clicking on unknown links, especially when logged into the WordPress admin panel. 3. Implement additional security measures such as Web Application Firewalls (WAF) that can help detect and prevent CSRF attacks. 4. Regularly review and audit plugin settings to detect any unauthorized changes. 5. Consider implementing additional authentication steps for critical admin functions.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Timeline

CVE Assignment

NVD published the first details for CVE-2024-5804

Jul 20, 2024 at 2:15 AM
First Article

Feedly found the first article mentioning CVE-2024-5804. See article

Jul 20, 2024 at 2:15 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jul 20, 2024 at 2:15 AM
CVSS

A CVSS base score of 4.3 has been assigned.

Jul 20, 2024 at 2:20 AM / nvd
Trending

This CVE started to trend in security discussions

Jul 20, 2024 at 4:25 AM
EPSS

EPSS Score was set to: 0.05% (Percentile: 21%)

Jul 20, 2024 at 9:23 AM
Trending

This CVE stopped trending in security discussions

Jul 23, 2024 at 2:40 AM
Static CVE Timeline Graph

Affected Systems

Wordpress/wordpress
+null more

Attack Patterns

CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
+null more

News

Wordfence Intelligence Weekly WordPress Vulnerability Report (July 15, 2024 to July 21, 2024)
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. Last week, there were 71 vulnerabilities disclosed in 60 WordPress Plugins and 2 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 31 Vulnerability Researchers that contributed to WordPress Security last week.
Update Sat Jul 20 14:27:33 UTC 2024
Update Sat Jul 20 14:27:33 UTC 2024
CVE-2024-5804
Medium Severity Description The Conditional Fields for Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.13. This is due to missing or incorrect nonce validation on the wpcf7cf_admin_init function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Read more at https://www.tenable.com/cve/CVE-2024-5804
CVE-2024-5804
Gravedad 3.1 (CVSS 3.1 Base Score) Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Medium - CVE-2024-5804 - The Conditional Fields for Contact Form 7...
The Conditional Fields for Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.13. This is due to missing or incorrect nonce...
See 7 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:None
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI