PT-2024-16017 · WordPress · Contact Form 7 – Dynamic Text Extension
Francesco Carlucci
·
Published
2024-11-05
·
Updated
2024-11-07
·
CVE-2024-10084
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Contact Form 7 – Dynamic Text Extension plugin for WordPress versions prior to 4.5.0
Description
The Contact Form 7 – Dynamic Text Extension plugin for WordPress has a Basic Information Disclosure issue. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract the titles and text contents of private and password-protected posts they do not own. The issue is related to the
CF7 get post var shortcode.Recommendations
Update to version 4.5.0 or later to secure your site. As a temporary workaround, consider restricting access to the
CF7 get post var shortcode until the update is applied. Ensure you update to the latest version to mitigate risks.Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Contact Form 7 – Dynamic Text Extension