Plataforma
wordpress
Componente
wpb-popup-for-contact-form-7
Corrigido em
1.7.6
CVE-2024-11038 describes an arbitrary shortcode execution vulnerability discovered in the WPB Popup for Contact Form 7 – Showing The Contact Form 7 Popup on Button Click – CF7 Popup plugin for WordPress. This flaw allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to website defacement, data theft, or further malicious actions. The vulnerability affects versions of the plugin up to and including 1.7.5. A fix is available in later versions.
The arbitrary shortcode execution vulnerability is particularly concerning because it bypasses authentication checks. An attacker can leverage this to inject malicious shortcodes into the website, which could then be executed by the WordPress server. This could lead to a wide range of impacts, including the execution of arbitrary PHP code, the redirection of users to malicious websites, or the theft of sensitive data stored within the WordPress database. The attacker’s ability to execute arbitrary code grants them significant control over the affected website, potentially enabling them to install malware, modify content, or compromise user accounts. The impact is amplified if the website handles sensitive user data or is integrated with other critical systems.
CVE-2024-11038 was publicly disclosed on November 19, 2024. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The EPSS score is likely to be medium, given the ease of exploitation and the potential impact. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Websites using the WPB Popup for Contact Form 7 plugin, particularly those running older versions (≤1.7.5), are at risk. Shared hosting environments are especially vulnerable, as they often have limited control over plugin updates and security configurations. Websites that rely on the plugin for critical functionality, such as lead generation or customer support, face a higher potential impact if compromised.
• wordpress / composer / npm:
grep -r 'wpb_pcf_fire_contact_form' /var/www/html/wp-content/plugins/wp-popup-for-contact-form7/• wordpress / composer / npm:
wp plugin list --status=active | grep 'wp-popup-for-contact-form7'• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=wpb_pcf_fire_contact_form&some_malicious_shortcode | head -n 1disclosure
Status do Exploit
EPSS
1.11% (percentil 78%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2024-11038 is to upgrade the WPB Popup for Contact Form 7 plugin to a version higher than 1.7.5. If an immediate upgrade is not possible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. As a short-term workaround, implement a Web Application Firewall (WAF) rule to block requests containing the wpbpcffirecontactform AJAX action. Carefully review any recent changes to the plugin’s configuration or code for suspicious activity. After upgrading, confirm the fix by attempting to trigger the vulnerable AJAX action and verifying that it is properly sanitized and does not execute arbitrary shortcodes.
Actualice el plugin WPB Popup for Contact Form 7 a la última versión disponible. Esto solucionará la vulnerabilidad de ejecución de shortcodes arbitrarios.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-11038 is a vulnerability in the WPB Popup for Contact Form 7 plugin that allows unauthenticated attackers to execute arbitrary shortcodes, potentially compromising the website.
You are affected if you are using the WPB Popup for Contact Form 7 plugin in a version equal to or less than 1.7.5.
Upgrade the WPB Popup for Contact Form 7 plugin to a version higher than 1.7.5. If immediate upgrade is not possible, disable the plugin or implement a WAF rule.
As of November 2024, there are no known public exploits or active campaigns targeting this vulnerability, but monitoring is advised.
Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and updates.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.