CVE-2023-2301

Name of the Vulnerable Software and Affected Versions Contact Form Builder by vcita plugin for WordPress versions up to, and including, 4.9.1

Description The issue is due to missing nonce validation on the ls parse vcita callback function, making it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request. This can happen if an attacker can trick a site administrator into performing an action, such as clicking on a link.

Recommendations For versions up to, and including, 4.9.1, consider disabling the ls parse vcita callback function until a patch is available to prevent exploitation. Restrict access to the plugin's settings to minimize the risk of modification by unauthorized parties. Avoid performing actions that could be triggered by forged requests, such as clicking on suspicious links, to reduce the risk of exploitation.