CVE-2024-3520

Name of the Vulnerable Software and Affected Versions The Country State City Dropdown CF7 plugin for WordPress versions up to, and including, 2.7.1

Description The issue allows authenticated attackers with subscriber access and above to modify data without proper authorization. This is due to a missing capability check on the tc csca patch settings function. As a result, attackers can add states or cities to the dropdown.

Recommendations For versions up to, and including, 2.7.1, update to a version higher than 2.7.1 to resolve the issue. As a temporary workaround, consider restricting access to the tc csca patch settings function until a patch is available.