WordPress plugin Custom Contact Forms critical vulnerability

Description

Marc-Alexandre Montpas reported a security issue in the popular WordPress plugin Custom Contact Forms that would allow a user with no administrative privileges to download and modify your database remotely (no authentication required).

Remediation

Upgrade to the latest version of Custom Contact Forms (this problem was fixed in version 5.1.0.4).

References

Critical Vulnerability Disclosed on WordPress Custom Contact Forms Plugin

Related Vulnerabilities

WordPress Plugin SCORM Cloud For WordPress 'ajax.php' SQL Injection (1.0.6.6)

ownCloud Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2015-4716)

Oracle Database Server CVE-2018-2939 Vulnerability (CVE-2018-2939)

MySQL CVE-2012-3158 Vulnerability (CVE-2012-3158)

Ruby Improper Input Validation Vulnerability (CVE-2015-7551)

Severity

High

Classification

CWE-287 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N