CVE-2024-1776

Name of the Vulnerable Software and Affected Versions Contact Form 7 plugin for WordPress versions up to, and including, 1.1.1

Description The Admin side data storage for the Contact Form 7 plugin is vulnerable to SQL Injection via the form-id parameter due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Recommendations For Contact Form 7 plugin for WordPress versions up to, and including, 1.1.1, consider updating to a version that addresses this issue, as no specific workaround is provided for these versions. As a temporary workaround, consider restricting access to the form-id parameter in the affected API endpoint until a patch is available. Avoid using the form-id parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.