CVE-2024-4870

Name of the Vulnerable Software and Affected Versions Frontend Registration – Contact Form 7 plugin for WordPress versions up to, and including, 5.1

Description The issue is related to insufficient restriction on the cf7frr post meta, allowing authenticated attackers with editor-level access and above to modify the default user role in the registration form settings. This can lead to privilege escalation.

Recommendations For versions up to, and including, 5.1, update the plugin to a version that includes the necessary security fixes to restrict access to the cf7frr post meta and prevent unauthorized modifications to the default user role. As a temporary workaround, consider restricting editor-level access to trusted users only until a patch is available.