PT-2024-17510 · WordPress · Accept Stripe Payments Using Contact Form 7
Joshua Chan
·
Published
2024-12-12
·
Updated
2025-07-02
·
CVE-2024-12255
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Accept Stripe Payments Using Contact Form 7 plugin for WordPress versions up to, and including, 2.5
Description
The issue allows unauthenticated attackers to extract configuration information through the cf7sa-info.php file, which returns phpinfo() data. This information can be leveraged in another attack.
Recommendations
For versions up to, and including, 2.5, consider removing or restricting access to the cf7sa-info.php file until a patch is available.
As a temporary workaround, consider disabling the plugin until a fixed version is released.
Restrict access to the plugin's configuration to minimize the risk of exploitation.
Exploit
Fix
Information Disclosure
Incorrect Permission
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Accept Stripe Payments Using Contact Form 7