PT-2023-18825 · Vcita · Contact Form/Calls To Action
Jonas Höbenreich
·
Published
2023-06-03
·
Updated
2023-06-09
·
CVE-2023-2303
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Contact Form and Calls To Action by vcita plugin for WordPress versions up to, and including, 2.6.4
Description
The issue is due to missing nonce validation in the vcita-callback.php file, making it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request. This can be achieved if an attacker can trick a site administrator into performing an action such as clicking on a link.
Recommendations
For versions up to, and including, 2.6.4, consider disabling the vcita-callback.php file or restricting access to it until a patch is available. As a temporary workaround, restrict the ability to modify plugin settings to prevent potential exploitation.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Contact Form/Calls To Action