CVE-2024-6316

Name of the Vulnerable Software and Affected Versions: Generate PDF using Contact Form 7 plugin for WordPress versions up to, and including, 4.0.6

Description: The issue is due to missing nonce validation and missing file type validation in the wp cf7 pdf dashboard html page function, making it possible for unauthenticated attackers to upload arbitrary files on the affected site's server. This may make remote code execution possible via a forged request if attackers can trick a site administrator into performing an action such as clicking on a link.

Recommendations: For versions up to, and including, 4.0.6, update to a version that includes nonce validation and file type validation to prevent arbitrary file uploads. As a temporary workaround, consider disabling the wp cf7 pdf dashboard html page function until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved.