平台
wordpress
组件
wpb-popup-for-contact-form-7
修复版本
1.7.6
CVE-2024-11038 describes an arbitrary shortcode execution vulnerability discovered in the WPB Popup for Contact Form 7 – Showing The Contact Form 7 Popup on Button Click – CF7 Popup plugin for WordPress. This flaw allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to website defacement, data theft, or further malicious actions. The vulnerability affects versions of the plugin up to and including 1.7.5. A fix is available in later versions.
The arbitrary shortcode execution vulnerability is particularly concerning because it bypasses authentication checks. An attacker can leverage this to inject malicious shortcodes into the website, which could then be executed by the WordPress server. This could lead to a wide range of impacts, including the execution of arbitrary PHP code, the redirection of users to malicious websites, or the theft of sensitive data stored within the WordPress database. The attacker’s ability to execute arbitrary code grants them significant control over the affected website, potentially enabling them to install malware, modify content, or compromise user accounts. The impact is amplified if the website handles sensitive user data or is integrated with other critical systems.
CVE-2024-11038 was publicly disclosed on November 19, 2024. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The EPSS score is likely to be medium, given the ease of exploitation and the potential impact. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Websites using the WPB Popup for Contact Form 7 plugin, particularly those running older versions (≤1.7.5), are at risk. Shared hosting environments are especially vulnerable, as they often have limited control over plugin updates and security configurations. Websites that rely on the plugin for critical functionality, such as lead generation or customer support, face a higher potential impact if compromised.
• wordpress / composer / npm:
grep -r 'wpb_pcf_fire_contact_form' /var/www/html/wp-content/plugins/wp-popup-for-contact-form7/• wordpress / composer / npm:
wp plugin list --status=active | grep 'wp-popup-for-contact-form7'• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=wpb_pcf_fire_contact_form&some_malicious_shortcode | head -n 1disclosure
漏洞利用状态
EPSS
1.11% (78% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-11038 is to upgrade the WPB Popup for Contact Form 7 plugin to a version higher than 1.7.5. If an immediate upgrade is not possible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. As a short-term workaround, implement a Web Application Firewall (WAF) rule to block requests containing the wpbpcffirecontactform AJAX action. Carefully review any recent changes to the plugin’s configuration or code for suspicious activity. After upgrading, confirm the fix by attempting to trigger the vulnerable AJAX action and verifying that it is properly sanitized and does not execute arbitrary shortcodes.
Actualice el plugin WPB Popup for Contact Form 7 a la última versión disponible. Esto solucionará la vulnerabilidad de ejecución de shortcodes arbitrarios.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-11038 is a vulnerability in the WPB Popup for Contact Form 7 plugin that allows unauthenticated attackers to execute arbitrary shortcodes, potentially compromising the website.
You are affected if you are using the WPB Popup for Contact Form 7 plugin in a version equal to or less than 1.7.5.
Upgrade the WPB Popup for Contact Form 7 plugin to a version higher than 1.7.5. If immediate upgrade is not possible, disable the plugin or implement a WAF rule.
As of November 2024, there are no known public exploits or active campaigns targeting this vulnerability, but monitoring is advised.
Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and updates.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。