CVE-2024-10898

Name of the Vulnerable Software and Affected Versions Contact Form 7 Email Add on plugin for WordPress versions up to, and including, 1.9

Description The issue allows authenticated attackers with Contributor-level access and above to include and execute arbitrary PHP files on the server. This is possible via the cf7 email add on add admin template() function, making it possible to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included.

Recommendations For versions up to, and including, 1.9, consider disabling the cf7 email add on add admin template() function as a temporary workaround until a patch is available. Restrict access to sensitive data and PHP files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.