CVE-2021-24790

Name of the Vulnerable Software and Affected Versions: Contact Form Advanced Database WordPress plugin versions 1.0.8 and earlier

Description: The issue concerns the lack of authorization and CSRF checks in the delete cf7 data and export cf7 data AJAX actions, which are accessible to any authenticated users. This could allow users with a role as low as subscriber to call these actions, potentially leading to arbitrary metadata deletion. Additionally, if a suitable gadget chain is present in another plugin, it could result in PHP Object Injection, as user data is passed to the maybe unserialize() function without validation.

Recommendations: For Contact Form Advanced Database WordPress plugin versions 1.0.8 and earlier, consider disabling the delete cf7 data and export cf7 data AJAX actions until a patch is available to add proper authorization and CSRF checks. Restrict access to these actions to minimize the risk of exploitation. Avoid using the maybe unserialize() function with unvalidated user data in the affected AJAX endpoints. At the moment, there is no information about a newer version that contains a fix for this vulnerability.