CVE-2024-6317

Name of the Vulnerable Software and Affected Versions: Generate PDF using Contact Form 7 plugin for WordPress versions up to, and including, 4.0.6

Description: The issue is due to missing nonce validation and the plugin not properly validating a file or its path prior to deleting it in the wp cf7 pdf dashboard html page function. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Recommendations: For versions up to, and including, 4.0.6, update to a version higher than 4.0.6 to resolve the issue. As a temporary workaround, consider disabling the wp cf7 pdf dashboard html page function until a patch is available. Restrict access to the plugin's file deletion functionality to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved.