_
Categories
_

XtraBook Collections

Action and Adventure.

Classics.

Detective and

Mystery

New York times

bestsellers

Biographies.

_
Best sellers
_

This year's top sellers

...

Product has been added to your list.
_
Testimonials
_

What Customer Say

{"error":0,"message":null,"data":{"name":null,"plugin":"admin-menu-editor-pro","link":null,"latest":null,"closed":null,"vulnerability":null},"updated":1753768643}
{"error":0,"message":null,"data":{"name":"Advanced Custom Field Pro","plugin":"advanced-custom-fields-pro","link":"https:\/\/www.advancedcustomfields.com\/pro\/","latest":null,"closed":null,"vulnerability":[{"uuid":"9d5270fbd92f785602bc39cc6b08a16383ebb76497d3789bb1609c3b5c48692a","name":"Advanced Custom Field Pro [advanced-custom-fields-pro] < 5.9.1","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"5.9.1","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2021-24241","name":"CVE-2021-24241","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2021-24241","description":"[en] The Advanced Custom Fields Pro WordPress plugin before 5.9.1 did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in the update settings page.","date":"2021-04-22"},{"id":"3c8809862e75481b3c0d6f82077b1dd4fc1e5941","name":"WordPress Advanced Custom Fields PRO plugin <= 5.9.0 - Reflected Cross-Site Scripting (XSS) vulnerability","link":"https:\/\/patchstack.com\/database\/wordpress\/plugin\/advanced-custom-fields-pro\/vulnerability\/wordpress-advanced-custom-fields-pro-plugin-5-9-0-reflected-cross-site-scripting-xss-vulnerability","description":"Reflected Cross-Site Scripting (XSS) vulnerability discovered by Juan David Ordo\u00f1ez Noriega in WordPress Advanced Custom Fields PRO plugin (versions <= 5.9.0).","date":"2021-04-02"},{"id":"d1e9c995-37bd-4952-b88e-945e02e3c83f","name":"Advanced Custom Field Pro < 5.9.1 - Authenticated Reflected Cross-Site Scripting (XSS)","link":"https:\/\/wpscan.com\/vulnerability\/d1e9c995-37bd-4952-b88e-945e02e3c83f","description":"The plugin did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in the update settings page.","date":null},{"id":"8baac1001ed6526379494367511c6d621135d630","name":"Advanced Custom Fields Pro <= 5.9.0 - Reflected Cross-Site Scripting","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/in3-marketing\/advanced-custom-fields-pro-590-reflected-cross-site-scripting","description":"The Advanced Custom Fields Pro WordPress plugin before 5.9.1 did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in the update settings page.","date":"2021-01-20"}],"impact":{"cwe":[{"cwe":"CWE-79","name":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","description":"The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users."}]}},{"uuid":"6501abb6cfc4a42168e6a44c39efe27bfd5e14193dec22f9836285acac658e24","name":"Advanced Custom Field Pro [advanced-custom-fields-pro] < 5.12.1","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"5.12.1","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2022-23183","name":"CVE-2022-23183","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2022-23183","description":"[en] Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the information on the database without the access permission.","date":"2022-03-31"},{"id":"JVNDB-2022-000023","name":"WordPress Plugin \"Advanced Custom Fields\" vulnerable to missing authorization","link":"http:\/\/jvndb.jvn.jp\/jvndb\/JVNDB-2022-000023","description":"WordPress Plugin \"Advanced Custom Fields\" provided by Delicious Brains contains a missing authorization vulnerability (CWE-862). Keitaro Yamazaki of Ierae Security, Inc. reported this vulnerability to IPA. JPCERT\/CC coordinated with the developer under Information Security Early Warning Partnership.\n\nSolution: [Update the plugin] Update the plugin according to the information provided by the developer. The developer has released the versions listed below that address the vulnerabilities. * Advanced Custom Fields 5.12.1 * Advanced Custom Fields Pro 5.12.1","date":"2022-03-30"},{"id":"0102ab8913c828346770d72dae472fb17c179774","name":"WordPress Advanced Custom Fields plugin <= 5.12 - Database Information Access vulnerability","link":"https:\/\/patchstack.com\/database\/wordpress\/plugin\/advanced-custom-fields\/vulnerability\/wordpress-advanced-custom-fields-plugin-5-12-database-information-access-vulnerability","description":"Database Information Access vulnerability was discovered by Keitaro Yamazaki (Ierae Security Inc) in the WordPress Advanced Custom Fields plugin (versions <= 5.12).","date":"2022-03-30"},{"id":"413576a8-0f20-465e-80cf-7cb0cb22bded","name":"Advanced Custom Fields < 5.12.1 - Contributor+ Database Information Access","link":"https:\/\/wpscan.com\/vulnerability\/413576a8-0f20-465e-80cf-7cb0cb22bded","description":"The plugin does not have proper authorisation which could allow users with a role as low as contributor to view information on the database without the access permission","date":null}],"impact":{"cwe":[{"cwe":"CWE-862","name":"Missing Authorization","description":"The product does not perform an authorization check when an actor attempts to access a resource or perform an action."}]}},{"uuid":"ff98694286c632ddbf467deca653bb721728ec2aaf988f6dd241c53a9cacdf0c","name":"Advanced Custom Field Pro [advanced-custom-fields-pro] < 5.12.3","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"5.12.3","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2022-2594","name":"CVE-2022-2594","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2022-2594","description":"[en] The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a default WP configuration (so PHP is not possible) if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release.","date":"2022-08-22"},{"id":"3c2b9275958e48df7a059a1ac6bf56e0a0e4ed09","name":"WordPress Advanced Custom Fields PRO premium plugin <= 5.12.2 - Unauthenticated File Upload vulnerability","link":"https:\/\/patchstack.com\/database\/wordpress\/plugin\/advanced-custom-fields-pro\/vulnerability\/wordpress-advanced-custom-fields-pro-premium-plugin-5-12-2-unauthenticated-file-upload-vulnerability","description":"Unauthenticated File Upload vulnerability discovered by James Golovich in WordPress Advanced Custom Fields PRO premium plugin (versions <= 5.12.2).\nUpdate the WordPress Advanced Custom Fields PRO plugin to the latest available version (at least 5.12.3).","date":"2022-08-01"},{"id":"3fde5336-552c-4861-8b4d-89a16735c0e2","name":"Advanced Custom Fields 5.0-5.12.2 - Unauthenticated File Upload","link":"https:\/\/wpscan.com\/vulnerability\/3fde5336-552c-4861-8b4d-89a16735c0e2","description":"The plugin allows unauthenticated users to upload files allowed in a default WP configuration (so PHP is not possible) if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release.\r\n\r\nBy default WordPress does not allow uploading of .php files so this vulnerability is not easily wormable, but there are many other file types that can be uploaded that can be then used with another exploit to execute code or used in a phishing attack to get a user to download and execute a resource from a "trusted" site.","date":null},{"id":"3de6f8e30d3de15171ba35031ec707cc62850ae9","name":"Advanced Custom Fields <= 5.12.2 - File Upload","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/advanced-custom-fields\/advanced-custom-fields-5122-file-upload","description":"The Advanced Custom Fields plugin for WordPress has a file upload vulnerability in versions up to, and including, 5.12.2. This allows users without the upload_files capability, such as contributors, or unauthenticated users in cases where a frontend form is added to the site, to upload allowed file types. The upload is handled by WordPress so file type and extension checks still occur, though this could potentially be used by high-privileged users in certain locked-down configurations to bypass other security mechanisms and upload dangerous file types.","date":"2022-07-14"}],"impact":{"cwe":[{"cwe":"CWE-434","name":"Unrestricted Upload of File with Dangerous Type","description":"The product allows the upload or transfer of dangerous file types that are automatically processed within its environment."}]}},{"uuid":"d35dff3c9246ddcd1b7722c5a3650cd9972d7f2213eeb8c741e3e929bb98fbd6","name":"Advanced Custom Field Pro [advanced-custom-fields-pro] < 5.12.1","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"5.12.1","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2021-20867","name":"CVE-2021-20867","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2021-20867","description":"[en] Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in moving the field group which may allow a user to move the unauthorized field group via unspecified vectors.","date":"2021-12-13"},{"id":"f322619a-e85d-4931-8785-eb9cf30cef7f","name":"Advanced Custom Fields < 5.11 - Subscriber+ Arbitrary ACF Data\/Field Groups View and Fields Move","link":"https:\/\/wpscan.com\/vulnerability\/f322619a-e85d-4931-8785-eb9cf30cef7f","description":"Some of the functions did not have proper capability checks in place, allowing low privilege users such as subscribers to view arbitrary ACF data, movie fields, as well as view field groups.","date":null},{"id":"21d0f4ed9866b3408ca2327c06e261d5dddb6182","name":"WordPress Advanced Custom Fields PRO Plugin < 5.11 is vulnerable to Broken Access Control","link":"https:\/\/patchstack.com\/database\/wordpress\/plugin\/advanced-custom-fields-pro\/vulnerability\/wordpress-advanced-custom-fields-pro-plugin-5-11-missing-authorization-on-option-changes-vulnerability","description":"

WordPress Advanced Custom Fields PRO Plugin < 5.11 is vulnerable to Broken Access Control<\/p>

Affected Version < 5.11<\/p>

Fixed in version 5.11 <\/p>","date":"2024-10-04"}],"impact":{"cwe":[{"cwe":"CWE-862","name":"Missing Authorization","description":"The product does not perform an authorization check when an actor attempts to access a resource or perform an action."}]}},{"uuid":"f68471e43b64cf473a346dd1f081bd92a5926b2df6fdaea96f9d99c23ca273bf","name":"Advanced Custom Field Pro [advanced-custom-fields-pro] < 6.1.6","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"6.1.6","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2023-30777","name":"CVE-2023-30777","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2023-30777","description":"[en] Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WP Engine Advanced Custom Fields Pro, WP Engine Advanced Custom Fields plugins <=\u00a06.1.5 versions.","date":"2023-05-10"},{"id":"ae1ad3ff9ce94a3409ac45cdd8b0bc9465006f34","name":"WordPress Advanced Custom Fields PRO Plugin <= 6.1.5 is vulnerable to Cross Site Scripting (XSS)","link":"https:\/\/patchstack.com\/database\/wordpress\/plugin\/advanced-custom-fields-pro\/vulnerability\/wordpress-advanced-custom-fields-pro-plugin-6-1-5-reflected-cross-site-scripting-xss-vulnerability","description":"Update the WordPress Advanced Custom Fields PRO plugin to the latest available version (at least 6.1.6).\nRafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Advanced Custom Fields PRO Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 6.1.6.","date":"2023-05-05"},{"id":"cd43b2e3d9079c65cf52e6a134b8dc1491c5b16e","name":"WordPress Advanced Custom Fields Plugin <= 6.1.5 is vulnerable to Cross Site Scripting (XSS)","link":"https:\/\/patchstack.com\/database\/wordpress\/plugin\/advanced-custom-fields\/vulnerability\/wordpress-advanced-custom-fields-plugin-6-1-5-reflected-cross-site-scripting-xss-vulnerability","description":"Update the WordPress Advanced Custom Fields plugin to the latest available version (at least 6.1.6).\nRafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Advanced Custom Fields Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 6.1.6.","date":"2023-05-05"},{"id":"95ded80f-a47b-411e-bd17-050439bf565f","name":"Advanced Custom Fields < 6.1.6 - Reflected XSS","link":"https:\/\/wpscan.com\/vulnerability\/95ded80f-a47b-411e-bd17-050439bf565f","description":"The plugins do not escape the post_status parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin","date":null}],"impact":{"cvss":{"version":"3.1","vector":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:C\/C:L\/I:L\/A:L","av":"n","ac":"l","pr":"n","ui":"r","s":"c","c":"l","i":"l","a":"l","score":"7.1","severity":"h","exploitable":"0.0","impact":"0.0"},"cwe":[{"cwe":"CWE-79","name":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","description":"The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users."}]}},{"uuid":"acc188e37353e7eecbd0bac19f7888c6bc66ef9b16ada2184b730a9e6822fc06","name":"Advanced Custom Field Pro [advanced-custom-fields-pro] < 5.12.5","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"5.12.5","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2023-1196","name":"CVE-2023-1196","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2023-1196","description":"[en] The Advanced Custom Fields (ACF) Free and Pro WordPress plugins 6.x before 6.1.0 and 5.x before 5.12.5 unserialize user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present.","date":"2023-05-02"},{"id":"8e5ec88e-0e66-44e4-bbf2-74155d849ede","name":"Advanced Custom Fields < 6.1.0 - Contributor+ PHP Object Injection","link":"https:\/\/wpscan.com\/vulnerability\/8e5ec88e-0e66-44e4-bbf2-74155d849ede","description":"The plugin unserializes user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present.","date":null},{"id":"cf376ca2-92f6-44ff-929a-ace809460a33","name":"Advanced Custom Fields < 5.12.5 - Contributor+ PHP Object Injection","link":"https:\/\/wpscan.com\/vulnerability\/cf376ca2-92f6-44ff-929a-ace809460a33","description":"The plugin unserializes user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present.","date":null}],"impact":{"cwe":[{"cwe":"CWE-502","name":"Deserialization of Untrusted Data","description":"The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid."}]}},{"uuid":"df8b70a8ee35cb5b8639fbd1b3c7df3afacf387895293e87e97e7bc58cc210e1","name":"Advanced Custom Field Pro [advanced-custom-fields-pro] >= 6.1 - <= 6.1.7","description":null,"operator":{"min_version":"6.1","min_operator":"ge","max_version":"6.1.7","max_operator":"le","unfixed":"0","closed":"0"},"source":[{"id":"a7cd906cd399d15df86d40c68e6c902a9c0aac05","name":"WordPress Advanced Custom Fields PRO Plugin 6.1-6.1.7 is vulnerable to Cross Site Scripting (XSS)","link":"https:\/\/patchstack.com\/database\/wordpress\/plugin\/advanced-custom-fields-pro\/vulnerability\/wordpress-advanced-custom-fields-pro-premium-plugin-6-1-7-auth-stored-cross-site-scripting-xss-vulnerability","description":"Update the WordPress Advanced Custom Fields PRO plugin to the latest available version (at least 6.1.8).\nSatoo Nakano, Ryotaro Imamura discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Advanced Custom Fields PRO Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 6.1.8.","date":"2023-08-10"}],"impact":[]},{"uuid":"d1cadcfacbd1fced8b0d92acaf18d440b00a9c0aaea2e28385e84f4416f2c7b8","name":"Advanced Custom Field Pro [advanced-custom-fields-pro] < 6.1.8","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"6.1.8","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"8c7400f6ec36d2ac7aec20c3e0174d776dafba8a","name":"Advanced Custom Fields PRO 6.1 - 6.1.7 - Authenticated (Administrator+) Stored Cross-Site Scripting","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/advanced-custom-fields-pro\/advanced-custom-fields-pro-61-617-authenticated-administrator-stored-cross-site-scripting","description":"The Advanced Custom Fields PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions 6.1 through 6.1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","date":"2023-08-10"}],"impact":[]},{"uuid":"536b163abc4bfb30eb30960f80f59517d5c6fe2a1668bc9dba89f889e4a39c52","name":"Advanced Custom Field Pro [advanced-custom-fields-pro] < 6.2.5","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"6.2.5","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"bfb7b80c517bcdd40e7a300e7a19da6c3bdaf026","name":"WordPress Advanced Custom Fields PRO Plugin < 6.2.5 is vulnerable to Cross Site Scripting (XSS)","link":"https:\/\/patchstack.com\/database\/wordpress\/plugin\/advanced-custom-fields-pro\/vulnerability\/wordpress-advanced-custom-fields-pro-plugin-6-2-5-contributor-stored-cross-site-scripting-vulnerability","description":"Update the WordPress Advanced Custom Fields plugin to the latest available version (at least 6.2.5).\nFrancesco Carlucci discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Advanced Custom Fields PRO Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 6.2.5.\nHave additional information or questions about this entry? Get in touch.","date":"2024-01-16"}],"impact":[]},{"uuid":"577a52860f90887d33cef936729585283a5f0904f0ccca42e8a506cce79a3267","name":"Advanced Custom Field Pro [advanced-custom-fields-pro] < 6.2.5","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"6.2.5","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"9a536e07-6e99-45c1-9233-f7cee5c29ea4","name":"Advanced Custom Fields < 6.2.5 - Contributor+ Stored Cross-Site Scripting via Custom Field","link":"https:\/\/wpscan.com\/vulnerability\/9a536e07-6e99-45c1-9233-f7cee5c29ea4","description":"The plugin is vulnerable to Stored Cross-Site Scripting via a custom text field in all versions up to, and including, 6.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","date":null}],"impact":[]},{"uuid":"53f489985f1c34725cb93d412ec789f265a17054fbe6fddb878ccf9a9f727a14","name":"Advanced Custom Field Pro [advanced-custom-fields-pro] < 6.2.10","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"6.2.10","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2024-34762","name":"CVE-2024-34762","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2024-34762","description":"[en] Vulnerability discovered by executing a planned security audit.\n\nImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WPENGINE INC Advanced Custom Fields PRO allows PHP Local File Inclusion.This issue affects Advanced Custom Fields PRO: from n\/a before 6.2.10.","date":"2024-06-10"},{"id":"fbe26893ef880995c1aef3ffe8de0a92d6cabe51","name":"WordPress Advanced Custom Fields PRO Plugin < 6.2.10 is vulnerable to Local File Inclusion","link":"https:\/\/patchstack.com\/database\/wordpress\/plugin\/advanced-custom-fields-pro\/vulnerability\/wordpress-advanced-custom-fields-pro-plugin-6-2-10-contributor-local-file-inclusion-vulnerability","description":"

WordPress Advanced Custom Fields PRO Plugin < 6.2.10 is vulnerable to Local File Inclusion<\/p>

Affected Version < 6.2.10<\/p>

Fixed in version 6.2.10 <\/p>","date":"2024-05-15"},{"id":"05826d870b70b1f0602867c34d8b4d2f9840de11","name":"Advanced Custom Fields Pro <= 6.2.9 - Authenticated (Contributor+) Local File Inclusion","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/advanced-custom-fields-pro\/advanced-custom-fields-pro-629-authenticated-contributor-local-file-inclusion","description":"The Advanced Custom Fields Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.2.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other \u201csafe\u201d file types can be uploaded and included.","date":"2024-05-15"}],"impact":{"cvss":{"version":"3.1","vector":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:H\/A:H","av":"n","ac":"l","pr":"l","ui":"n","s":"c","c":"h","i":"h","a":"h","score":"9.9","severity":"c","exploitable":"0.0","impact":"0.0"},"cwe":[{"cwe":"CWE-22","name":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","description":"The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory."}]}},{"uuid":"b8a579f713e85aeefd9202c9534318c6e332332e2dd7207e0b15ddff0b85876e","name":"Advanced Custom Field Pro [advanced-custom-fields-pro] < 6.2.10","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"6.2.10","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2024-34761","name":"CVE-2024-34761","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2024-34761","description":"[en] Vulnerability discovered by executing a planned security audit.\n\nImproper Control of Generation of Code ('Code Injection') vulnerability in WPENGINE INC Advanced Custom Fields PRO allows Code Injection.This issue affects Advanced Custom Fields PRO: from n\/a before 6.2.10.","date":"2024-06-10"},{"id":"6cd5a353f2c70058f45f97ec7b22732fd6ca83e1","name":"WordPress Advanced Custom Fields PRO Plugin < 6.2.10 is vulnerable to Local File Inclusion","link":"https:\/\/patchstack.com\/database\/wordpress\/plugin\/advanced-custom-fields-pro\/vulnerability\/wordpress-advanced-custom-fields-pro-plugin-6-2-10-contributor-arbitrary-function-execution-vulnerability","description":"

WordPress Advanced Custom Fields PRO Plugin < 6.2.10 is vulnerable to Local File Inclusion<\/p>

Affected Version < 6.2.10<\/p>

Fixed in version 6.2.10 <\/p>","date":"2024-05-15"},{"id":"04ae656fc7da3193c9e874c53801860fadfa49ad","name":"Advanced Custom Fields Pro <= 6.2.9 - Authenticated (Contributor+) Code Injection","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/advanced-custom-fields-pro\/advanced-custom-fields-pro-629-authenticated-contributor-code-injection","description":"The Advanced Custom Fields Pro plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 6.2.9. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server.","date":"2024-05-15"}],"impact":{"cvss":{"version":"3.1","vector":"CVSS:3.1\/AV:N\/AC:H\/PR:L\/UI:N\/S:C\/C:H\/I:H\/A:H","av":"n","ac":"h","pr":"l","ui":"n","s":"c","c":"h","i":"h","a":"h","score":"8.5","severity":"h","exploitable":"0.0","impact":"0.0"},"cwe":[{"cwe":"CWE-94","name":"Improper Control of Generation of Code ('Code Injection')","description":"The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment."}]}},{"uuid":"b044280100916036efd740f888bfa0fefbded281f4745dcb5e3a9bc34dc2eba3","name":"Advanced Custom Field Pro [advanced-custom-fields-pro] < 6.3.0","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"6.3.0","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2024-4565","name":"CVE-2024-4565","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2024-4565","description":"[en] The Advanced Custom Fields (ACF) WordPress plugin before 6.3, Advanced Custom Fields Pro WordPress plugin before 6.3 allows you to display custom field values for any post via shortcode without checking for the correct access","date":"2024-06-20"},{"id":"dbfc7192bc51d481865183530b8b498062008687","name":"Advanced Custom Fields <= 6.2.10 - Authenticated (Contributor+) Arbitrary Custom Field Access","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/detail\/advanced-custom-fields-6210-authenticated-contributor-arbitrary-custom-field-access","description":"The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to arbitrary custom field access in all versions up to, and including, 6.2.10. This is due to the plugin not properly restricting what post meta can be displayed through the plugin's shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to retrieve potentially sensitive information from custom fields.","date":"2024-05-30"}],"impact":{"cwe":[{"cwe":"CWE-284","name":"Improper Access Control","description":"The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor."}]}},{"uuid":"77dfbeb5d2fc782394d070fe103449b06f655e02b02ed437d5d2d1f1b6422cd0","name":"Advanced Custom Field Pro [advanced-custom-fields-pro] < 6.3.2","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"6.3.2","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2024-37249","name":"CVE-2024-37249","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2024-37249","description":"[en] Missing Authorization vulnerability in WPEngine Inc. Advanced Custom Fields PRO allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Custom Fields PRO: from n\/a through 6.3.1.","date":"2024-11-01"},{"id":"e3dc57bd6d4157caf6e150ca7a675ede4debdc00","name":"WordPress Advanced Custom Fields PRO Plugin < 6.3.2 is vulnerable to Broken Access Control","link":"https:\/\/patchstack.com\/database\/wordpress\/plugin\/advanced-custom-fields-pro\/vulnerability\/wordpress-advanced-custom-fields-pro-plugin-6-3-2-contributor-broken-access-control-vulnerability","description":"

WordPress Advanced Custom Fields PRO Plugin < 6.3.2 is vulnerable to Broken Access Control<\/p>

Affected Version < 6.3.2<\/p>

Fixed in version 6.3.2 <\/p>","date":"2024-06-26"}],"impact":{"cvss":{"version":"3.1","vector":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:L\/I:N\/A:N","av":"n","ac":"l","pr":"l","ui":"n","s":"u","c":"l","i":"n","a":"n","score":"4.3","severity":"m","exploitable":"0.0","impact":"0.0"},"cwe":[{"cwe":"CWE-862","name":"Missing Authorization","description":"The product does not perform an authorization check when an actor attempts to access a resource or perform an action."}]}},{"uuid":"38f229962a3d3c475b76efafc38a92b5494b15b285cd4e91b4ac506411cf7b38","name":"Advanced Custom Field Pro [advanced-custom-fields-pro] < 6.3.2","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"6.3.2","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2024-37250","name":"CVE-2024-37250","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2024-37250","description":"[en] Missing Authorization vulnerability in WPEngine Inc. Advanced Custom Fields PRO allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Custom Fields PRO: from n\/a through 6.3.1.","date":"2024-11-01"},{"id":"0ae1937ff75742166590a42edd82954b9fb94187","name":"WordPress Advanced Custom Fields PRO Plugin < 6.3.2 is vulnerable to Broken Access Control","link":"https:\/\/patchstack.com\/database\/wordpress\/plugin\/advanced-custom-fields-pro\/vulnerability\/wordpress-advanced-custom-fields-pro-6-3-2-subscriber-broken-access-control-vulnerability","description":"

WordPress Advanced Custom Fields PRO Plugin < 6.3.2 is vulnerable to Broken Access Control<\/p>

Affected Version < 6.3.2<\/p>

Fixed in version 6.3.2 <\/p>","date":"2024-06-26"},{"id":"c0ea6b247eb431377119c5198efa65fee6fb7a0a","name":"Advanced Custom Fields Pro <= 6.3.1 - Missing Authorization","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/advanced-custom-fields-pro\/advanced-custom-fields-pro-631-missing-authorization","description":"The Advanced Custom Fields Pro plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 6.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","date":"2024-06-26"},{"id":"833c503c4756c3af357a8af8963a7a5c92b0b344","name":"Advanced Custom Fields Pro <= 6.3.1 - Missing Authorization","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/advanced-custom-fields-pro\/advanced-custom-fields-pro-631-missing-authorization-1","description":"The Advanced Custom Fields Pro plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 6.3.1. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.","date":"2024-06-26"}],"impact":{"cvss":{"version":"3.1","vector":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:L\/I:L\/A:N","av":"n","ac":"l","pr":"l","ui":"n","s":"u","c":"l","i":"l","a":"n","score":"5.4","severity":"m","exploitable":"0.0","impact":"0.0"},"cwe":[{"cwe":"CWE-862","name":"Missing Authorization","description":"The product does not perform an authorization check when an actor attempts to access a resource or perform an action."}]}},{"uuid":"559bdd22657af0dee5816535c1ead128bd95b2a4cdef85c1ccf6e945837f5b49","name":"Advanced Custom Field Pro [advanced-custom-fields-pro] < 6.3.2","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"6.3.2","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2024-37251","name":"CVE-2024-37251","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2024-37251","description":"[en] Cross-Site Request Forgery (CSRF) vulnerability in WPENGINE, INC. Advanced Custom Fields PRO.This issue affects Advanced Custom Fields PRO: from n\/a before 6.3.2.","date":"2024-12-16"},{"id":"3bd7277b28c91f32fb2b043be10eac93c2fd4f73","name":"WordPress Advanced Custom Fields PRO Plugin < 6.3.2 is vulnerable to Cross Site Request Forgery (CSRF)","link":"https:\/\/patchstack.com\/database\/wordpress\/plugin\/advanced-custom-fields-pro\/vulnerability\/wordpress-advanced-custom-fields-pro-plugin-6-3-2-cross-site-request-forgery-csrf-vulnerability","description":"

WordPress Advanced Custom Fields PRO Plugin < 6.3.2 is vulnerable to Cross Site Request Forgery (CSRF)<\/p>

Affected Version < 6.3.2<\/p>

Fixed in version 6.3.2 <\/p>","date":"2024-06-26"},{"id":"5a0956806ce1ee345856a497a5f4fe09123dce6d","name":"Advanced Custom Fields Pro <= 6.3.1 - Cross-Site Request Forgery","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/advanced-custom-fields-pro\/advanced-custom-fields-pro-631-cross-site-request-forgery","description":"The Advanced Custom Fields Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.3.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","date":"2024-06-26"}],"impact":{"cvss":{"version":"3.1","vector":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:U\/C:N\/I:L\/A:N","av":"n","ac":"l","pr":"n","ui":"r","s":"u","c":"n","i":"l","a":"n","score":"4.3","severity":"m","exploitable":"0.0","impact":"0.0"},"cwe":[{"cwe":"CWE-352","name":"Cross-Site Request Forgery (CSRF)","description":"The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor."}]}},{"uuid":"fd9126c2eb89be17d3e2fef03b2c0fc1cac3056f7abbe21a2e6875bd10f3b745","name":"Advanced Custom Field Pro [advanced-custom-fields-pro] < 6.3.6","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"6.3.6","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2024-45429","name":"CVE-2024-45429","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2024-45429","description":"[en] Cross-site scripting vulnerability exists in Advanced Custom Fields versions 6.3.5 and earlier and Advanced Custom Fields Pro versions 6.3.5 and earlier. If an attacker with the 'capability' setting privilege which is set in the product settings stores an arbitrary script in the field label, the script may be executed on the web browser of the logged-in user with the same privilege as the attacker's.","date":"2024-09-04"},{"id":"JVNDB-2024-000093","name":"WordPress Plugin \"Advanced Custom Fields\" vulnerable to cross-site scripting","link":"http:\/\/jvndb.jvn.jp\/jvndb\/JVNDB-2024-000093","description":"The field labels in WordPress Plugin \"Advanced Custom Fields\" provided by WP Engine contains a cross-site scripting vulnerability (CWE-79). Ryo Sotoyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT\/CC coordinated with the developer under Information Security Early Warning Partnership.\n\nSolution: [Update the plugin] Update the plugin according to the information provided by the developer. The developer has released the versions listed below that address the vulnerability. * Advanced Custom Fields version 6.3.6 * Advanced Custom Fields Pro 6.3.6","date":"2024-09-04"},{"id":"be4d36ad2a7bdb42e3b5eb6a069160a07d678d7c","name":"Advanced Custom Fields <= 6.3.5 - Authenticated Stored Cross-Site Scripting","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/detail\/advanced-custom-fields-635-authenticated-stored-cross-site-scripting","description":"The Advanced Custom Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting via field groups in all versions up to, and including, 6.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with the 'capability' setting privilege, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","date":"2024-09-04"}],"impact":[]},{"uuid":"f11fe7bef0e8972b25835ec2e268960c068a20462e332e2dac7c35e68b75436d","name":"Advanced Custom Field Pro [advanced-custom-fields-pro] < 6.3.8","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"6.3.8","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"7e825feade777e676c0565a26ea311ec75ec9cdc","name":"Advanced Custom Fields <= 6.3.8 - Authenticated (Admin+) Limited Arbitrary Function Call","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/advanced-custom-fields\/advanced-custom-fields-637-authenticated-admin-limited-arbitrary-function-call","description":"The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to limited arbitrary function calls via the 'register_meta_box_cb' and 'meta_box_cb' parameters in all versions up to, and including, 6.3.8 (excluding 6.3.6.2) due to insufficient input validation on those parameters. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary functions, like WordPress functions, in custom post types that will execute whenever a user accesses the injected post type. This can be leveraged to trick other users like administrators accessing posts into performing unauthorized actions through functions, and is not a very serious risk for the vast majority of site owners. Please follow the reference listed in this vulnerability record for instructions on how to update to the latest version of ACF that patches this issue and ensures accessibility to updates moving forward. Please note this issue was partially patched in 6.3.8 and 6.3.6.1 - 6.3.6.2, however, was hardened further in 6.3.6.3 and 6.3.9.","date":"2024-10-07"}],"impact":[]},{"uuid":"0e71ccd87d44db90028666abad6897800c4a72134d158f64bf8fbe37f457469c","name":"Advanced Custom Field Pro [advanced-custom-fields-pro] < 6.3.9","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"6.3.9","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"6872ad989a01a94ce51c39f36553acc5205de23b","name":"Advanced Custom Fields <= 6.3.8 & Secure Custom Fields <= 6.3.6.2 - Authenticated (Admin+) Stored Cross-Site Scripting","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/detail\/advanced-custom-fields-638-secure-custom-fields-6362-authenticated-admin-stored-cross-site-scripting","description":"The Advanced Custom Fields & Secure Custom Fields plugins for WordPress are vulnerable to Stored Cross-Site Scripting via ACF field labels in all versions up to, and including, 6.3.8 & 6.3.6.2 respectively due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. Please follow the reference listed in this vulnerability record for instructions on how to update to the latest version of ACF that patches this issue and ensures accessibility to updates moving forward. Special note: only the minified files in Secure Custom Fields have been patched meaning the source build files are still vulnerable.","date":"2024-10-15"}],"impact":[]},{"uuid":"b3ea7226b78236a1afda073daa5531526f14bfe3e2401ffda1a9edabaf3b9841","name":"Advanced Custom Field Pro [advanced-custom-fields-pro] < 6.3.9","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"6.3.9","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"7cc041978caeeff251360e5417c32093542fbc58","name":"WordPress Advanced Custom Fields PRO Plugin <= 6.3.8 is vulnerable to Cross Site Scripting (XSS)","link":"https:\/\/patchstack.com\/database\/wordpress\/plugin\/advanced-custom-fields-pro\/vulnerability\/wordpress-advanced-custom-fields-pro-6-3-8-authenticated-admin-stored-cross-site-scripting-vulnerability","description":"

WordPress Advanced Custom Fields PRO Plugin <= 6.3.8 is vulnerable to Cross Site Scripting (XSS)<\/p>

Affected Version <= 6.3.8<\/p>

Fixed in version 6.3.9 <\/p>","date":"2024-10-16"}],"impact":[]}]},"updated":"1729150159"}

{"error":0,"message":null,"data":{"name":"Ultra Addons for Contact Form 7","plugin":"ultimate-addons-for-contact-form-7","link":"https:\/\/wordpress.org\/plugins\/ultimate-addons-for-contact-form-7\/","latest":"1765471200","closed":0,"vulnerability":[{"uuid":"f7d083c15ee86ab642e39b7ba8a824df933ecd32a67e527815e2b45601dacead","name":"Ultra Addons for Contact Form 7 [ultimate-addons-for-contact-form-7] < 3.1.24","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"3.1.24","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2023-30495","name":"CVE-2023-30495","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2023-30495","description":"[en] Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themefic Ultimate Addons for Contact Form 7.This issue affects Ultimate Addons for Contact Form 7: from n\/a through 3.1.23.","date":"2023-12-20"},{"id":"9f86530a7d41e5ec6393c62a3f4e630cf4aa7689","name":"WordPress Ultimate Addons for Contact Form 7 Plugin <= 3.1.23 is vulnerable to SQL Injection","link":"https:\/\/patchstack.com\/database\/wordpress\/plugin\/ultimate-addons-for-contact-form-7\/vulnerability\/wordpress-ultimate-addons-for-contact-form-7-plugin-3-1-23-sql-injection-vulnerability","description":"Update the WordPress Ultimate Addons for Contact Form 7 plugin to the latest available version (at least 3.1.24).\nIvy (TOOR, LISA) discovered and reported this SQL Injection vulnerability in WordPress Ultimate Addons for Contact Form 7 Plugin. This could allow a malicious actor to directly interact with your database, including but not limited to stealing information. This vulnerability has been fixed in version 3.1.24.","date":"2023-04-24"},{"id":"094695ca8830dc1de8128687364246f21b4c7dbe","name":"Ultimate Addons for Contact Form 7 <= 3.1.23 - Authenticated (Subscriber+) SQL Injection via id","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/ultimate-addons-for-contact-form-7\/ultimate-addons-for-contact-form-7-3123-authenticated-subscriber-sql-injection-via-id","description":"The Ultimate Addons for Contact Form 7 plugin for WordPress is vulnerable to generic SQL Injection via the \u2018id\u2019 parameter in versions up to, and including, 3.1.23 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","date":"2023-04-24"}],"impact":{"cvss":{"version":"3.1","vector":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:N\/A:L","av":"n","ac":"l","pr":"l","ui":"n","s":"c","c":"h","i":"n","a":"l","score":"8.5","severity":"h","exploitable":"0.0","impact":"0.0"},"cwe":[{"cwe":"CWE-89","name":"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","description":"The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data."}]}},{"uuid":"399ae8ce80d45b7a8168933f950eb3f22c95558d977be529c8a7d95839a9be18","name":"Ultra Addons for Contact Form 7 [ultimate-addons-for-contact-form-7] < 3.1.24","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"3.1.24","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2022-47586","name":"CVE-2022-47586","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2022-47586","description":"[en] Unauth. SQL Injection (SQLi) vulnerability in Themefic Ultimate Addons for Contact Form 7 plugin <=\u00a03.1.23 versions.","date":"2023-06-19"},{"id":"210c1c80d3fd64a2b7bb120c76292918ff883115","name":"WordPress Ultimate Addons for Contact Form 7 Plugin <= 3.1.23 is vulnerable to SQL Injection","link":"https:\/\/patchstack.com\/database\/wordpress\/plugin\/ultimate-addons-for-contact-form-7\/vulnerability\/wordpress-ultimate-addons-for-contact-form-7-plugin-3-1-23-sql-injection","description":"Update the WordPress Ultimate Addons for Contact Form 7 plugin to the latest available version (at least 3.1.24).\nminhtuanact discovered and reported this SQL Injection vulnerability in WordPress Ultimate Addons for Contact Form 7 Plugin. This could allow a malicious actor to directly interact with your database, including but not limited to stealing information. This vulnerability has been fixed in version 3.1.24.","date":"2023-05-09"},{"id":"7f6b7029d8d0017f2b88c7a1137702ccc537b4a3","name":"Ultimate Addons for Contact Form 7 <= 3.1.23 - Unauthenticated SQL Injection via form_id","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/ultimate-addons-for-contact-form-7\/ultimate-addons-for-contact-form-7-3123-unauthenticated-sql-injection-via-form-id","description":"The Ultimate Addons for Contact Form 7 plugin for WordPress is vulnerable to SQL Injection via the id, and form_id parameter in versions up to, and including, 3.1.23 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","date":"2023-05-09"},{"id":"0fb4da7c-e9ba-4ddf-b37f-5453603c6399","name":"Ultimate Addons for Contact Form 7 < 3.1.24 - Unauthenticated SQLi","link":"https:\/\/wpscan.com\/vulnerability\/0fb4da7c-e9ba-4ddf-b37f-5453603c6399","description":"The plugin does not properly sanitise and escape the id and form_id parameters before using them in a SQL statement, leading to a SQL injection exploitable by unauthenticated users","date":null}],"impact":{"cvss":{"version":"3.1","vector":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:C\/C:H\/I:N\/A:L","av":"n","ac":"l","pr":"n","ui":"r","s":"c","c":"h","i":"n","a":"l","score":"8.2","severity":"h","exploitable":"0.0","impact":"0.0"},"cwe":[{"cwe":"CWE-89","name":"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","description":"The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data."}]}},{"uuid":"06a142c606dffe1f89491b7c7cc6f4612ac601b3bd303469509c82da21772294","name":"Ultra Addons for Contact Form 7 [ultimate-addons-for-contact-form-7] < 3.1.24","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"3.1.24","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2023-1615","name":"CVE-2023-1615","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2023-1615","description":"[en] The Ultimate Addons for Contact Form 7 plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in versions up to, and including, 3.1.23. This makes it possible for authenticated attackers of any authorization level to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","date":"2023-06-09"},{"id":"c9915536f7aba9fc8fe8760cb925b2deb6ccfe2b","name":"Ultimate Addons for Contact Form 7 <= 3.1.23 - Authenticated(Subscriber+) SQL Injection","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/ultimate-addons-for-contact-form-7\/ultimate-addons-for-contact-form-7-3123-authenticatedsubscriber-sql-injection","description":"The Ultimate Addons for Contact Form 7 plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in versions up to, and including, 3.1.23. This makes it possible for authenticated attackers of any authorization level to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","date":"2023-06-08"},{"id":"c0006c2b-5065-43b4-a76b-405a202b2fc6","name":"Ultimate Addons for Contact Form 7 < 3.1.24 - Subscriber+ SQL Injection","link":"https:\/\/wpscan.com\/vulnerability\/c0006c2b-5065-43b4-a76b-405a202b2fc6","description":"The plugin does not properly sanitize the 'id' parameter, leading to a SQL Injection vulnerability.","date":null},{"id":"ba3d8621-a243-4d34-8378-882a20464cc8","name":"Ultimate Addons for Contact Form 7 3.1.23 - Subscriber+ SQLi","link":"https:\/\/wpscan.com\/vulnerability\/ba3d8621-a243-4d34-8378-882a20464cc8","description":"The plugin does not properly sanitise and escape the id parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers","date":null}],"impact":{"cvss":{"version":"3.1","vector":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H","av":"n","ac":"l","pr":"l","ui":"n","s":"u","c":"h","i":"h","a":"h","score":"8.8","severity":"h","exploitable":"0.0","impact":"0.0"},"cwe":[{"cwe":"CWE-89","name":"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","description":"The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data."}]}},{"uuid":"e0a6457aa6b6212475402822f80e2fb06a4780971ad2beac6e691cf79e298a89","name":"Ultra Addons for Contact Form 7 [ultimate-addons-for-contact-form-7] < 3.1.29","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"3.1.29","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2023-2802","name":"CVE-2023-2802","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2023-2802","description":"[en] The Ultimate Addons for Contact Form 7 WordPress plugin before 3.1.29 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)","date":"2023-08-14"},{"id":"c5cc136a-2fa6-44ff-b5b5-26d367937df9","name":"Ultimate Addons for Contact Form 7 < 3.1.29 - Admin+ Stored XSS","link":"https:\/\/wpscan.com\/vulnerability\/c5cc136a-2fa6-44ff-b5b5-26d367937df9","description":"The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)","date":null},{"id":"c9cfbdc49324c27600947e5187b17cf04c43b8e5","name":"Ultimate Addons for Contact Form 7 <= 3.1.28 - Authenticated (Admin+) Stored Cross-Site Scripting","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/ultimate-addons-for-contact-form-7\/ultimate-addons-for-contact-form-7-3128-authenticated-admin-stored-cross-site-scripting","description":"The Ultimate Addons for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings like the 'Redirect URL' field in versions up to, and including, 3.1.28 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","date":"2023-07-24"}],"impact":{"cwe":[{"cwe":"CWE-79","name":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","description":"The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users."}]}},{"uuid":"da45ec3e320d81280af4ff5a0a87ea55ddece3ea5366e53912a5dba7d4c092c0","name":"Ultra Addons for Contact Form 7 [ultimate-addons-for-contact-form-7] < 3.1.29","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"3.1.29","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2023-2803","name":"CVE-2023-2803","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2023-2803","description":"[en] The Ultimate Addons for Contact Form 7 WordPress plugin before 3.1.29 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.","date":"2023-08-14"},{"id":"ec640d47-bb22-478d-9668-1dab72f12f8d","name":"Ultimate Addons for Contact Form 7 < 3.1.29 - Reflected XSS","link":"https:\/\/wpscan.com\/vulnerability\/ec640d47-bb22-478d-9668-1dab72f12f8d","description":"The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.","date":null},{"id":"b06059752f70192023b427680ab697136a6c4cc9","name":"Ultimate Addons for Contact Form 7 <= 3.1.28 - Reflected Cross-Site Scripting","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/ultimate-addons-for-contact-form-7\/ultimate-addons-for-contact-form-7-3128-reflected-cross-site-scripting","description":"The Ultimate Addons for Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in versions up to, and including, 3.1.28 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","date":"2023-07-24"}],"impact":{"cwe":[{"cwe":"CWE-79","name":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","description":"The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users."}]}},{"uuid":"7045b90f11b59eb69c98ee7cc63d8df07f5674b1de8804682664266902117d63","name":"Ultra Addons for Contact Form 7 [ultimate-addons-for-contact-form-7] < 3.2.1","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"3.2.1","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2023-30493","name":"CVE-2023-30493","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2023-30493","description":"[en] Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Themefic Ultimate Addons for Contact Form 7 plugin <=\u00a03.2.0 versions.","date":"2023-09-27"},{"id":"0bfaf7d1b74df63bc0884cf4fc9250500284eea5","name":"WordPress Ultimate Addons for Contact Form 7 Plugin <= 3.1.32 is vulnerable to Cross Site Scripting (XSS)","link":"https:\/\/patchstack.com\/database\/wordpress\/plugin\/ultimate-addons-for-contact-form-7\/vulnerability\/wordpress-ultimate-addons-for-contact-form-7-plugin-3-1-32-reflected-cross-site-scripting-xss-vulnerability","description":"No patched version is available. No reply from the vendor.\nLEE SE HYOUNG (hackintoanetwork) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Ultimate Addons for Contact Form 7 Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.","date":"2023-08-28"},{"id":"c6bc47186f5a252cc2d276089e87adb29a21e8d5","name":"Ultimate Addons for Contact Form 7 <= 3.1.0 - Reflected Cross-Site Scripting via 'page'","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/ultimate-addons-for-contact-form-7\/ultimate-addons-for-contact-form-7-3132-reflected-cross-site-scripting-via-page","description":"The Ultimate Addons for Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u2018page\u2019 parameter in versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","date":"2023-08-28"},{"id":"698b8835-d133-470d-ae38-5331afe55089","name":"Ultimate Addons for Contact Form 7 < 3.2.1 - Reflected XSS","link":"https:\/\/wpscan.com\/vulnerability\/698b8835-d133-470d-ae38-5331afe55089","description":"The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin","date":null}],"impact":{"cvss":{"version":"3.1","vector":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:C\/C:L\/I:L\/A:L","av":"n","ac":"l","pr":"n","ui":"r","s":"c","c":"l","i":"l","a":"l","score":"7.1","severity":"h","exploitable":"0.0","impact":"0.0"},"cwe":[{"cwe":"CWE-79","name":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","description":"The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users."}]}},{"uuid":"e2e5132ab25bb3d4a34bb71c7b39ffd904e3fa4338061a94819b4e35e80dada0","name":"Ultra Addons for Contact Form 7 [ultimate-addons-for-contact-form-7] < 3.2.11","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"3.2.11","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2023-47693","name":"CVE-2023-47693","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2023-47693","description":"[en] Missing Authorization vulnerability in Themefic Ultimate Addons for Contact Form 7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for Contact Form 7: from n\/a through 3.2.6.","date":"2025-01-02"},{"id":"502d8f188d7e9d7c3ae1c48a080550942d2d93a3","name":"WordPress Ultimate Addons for Contact Form 7 Plugin <= 3.2.6 is vulnerable to Broken Access Control","link":"https:\/\/patchstack.com\/database\/wordpress\/plugin\/ultimate-addons-for-contact-form-7\/vulnerability\/wordpress-ultimate-addons-for-contact-form-7-plugin-3-2-5-broken-access-control-vulnerability","description":"No patched version is available.\nminhtuanact discovered and reported this Broken Access Control vulnerability in WordPress Ultimate Addons for Contact Form 7 Plugin. A broken access control issue refers to a missing authorization, authentication or nonce token check in a function that could lead to an unprivileged user to executing a certain higher privileged action. This vulnerability has not been known to be fixed yet.","date":"2023-11-09"},{"id":"e7d86e219bcba47886376ea23cd52fcd081ddeec","name":"Ultimate Addons for Contact Form 7 <= 3.2.10 - Missing Authorization","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/ultimate-addons-for-contact-form-7\/ultimate-addons-for-contact-form-7-326-missing-authorization","description":"The Ultimate Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the uacf7_database_export_csv() function hooked via init in versions up to, and including, 3.2.10. This makes it possible for unauthenticated attackers to export data from contact forms. This has been \"partially\" patched in 3.2.7, however, since the nonce is exposed to subscribers this can still be exploited by subscriber-level users and above. Version 3.2.11 introduces a capability check.","date":"2023-11-09"},{"id":"77ffb89d-18bd-4b0d-ad4a-c0d716a5f16c","name":"Ultimate Addons for Contact Form 7 < 3.2.11 - Missing Authorization","link":"https:\/\/wpscan.com\/vulnerability\/77ffb89d-18bd-4b0d-ad4a-c0d716a5f16c","description":"The Ultimate Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the uacf7_database_export_csv() function hooked via init in versions up to, and including, 3.2.10. This makes it possible for unauthenticated attackers to export data from contact forms. This has been "partially" patched in 3.2.7, however, since the nonce is exposed to subscribers this can still be exploited by subscriber-level users and above. Version 3.2.11 introduces a capability check.","date":null}],"impact":{"cvss":{"version":"3.1","vector":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:N\/A:N","av":"n","ac":"l","pr":"n","ui":"n","s":"u","c":"h","i":"n","a":"n","score":"7.5","severity":"h","exploitable":"0.0","impact":"0.0"},"cwe":[{"cwe":"CWE-862","name":"Missing Authorization","description":"The product does not perform an authorization check when an actor attempts to access a resource or perform an action."}]}},{"uuid":"5b2179c35543d547a5459665c8279f99b8e153119748ab1c465a7e631ed95427","name":"Ultra Addons for Contact Form 7 [ultimate-addons-for-contact-form-7] < 3.2.1","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"3.2.1","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2023-49766","name":"CVE-2023-49766","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2023-49766","description":"[en] Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themefic Ultimate Addons for Contact Form 7 allows Stored XSS.This issue affects Ultimate Addons for Contact Form 7: from n\/a through 3.2.0.","date":"2023-12-14"},{"id":"0cb48c217646077c00d57cfd114fa769ee0ada2a","name":"WordPress Ultimate Addons for Contact Form 7 Plugin <= 3.2.0 is vulnerable to Cross Site Scripting (XSS)","link":"https:\/\/patchstack.com\/database\/wordpress\/plugin\/ultimate-addons-for-contact-form-7\/vulnerability\/wordpress-ultimate-addons-for-contact-form-7-plugin-3-2-0-unauthenticated-cross-site-scripting-xss-vulnerability","description":"Update the WordPress Ultimate Addons for Contact Form 7 plugin to the latest available version (at least 3.2.1).\nFearZzZz discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Ultimate Addons for Contact Form 7 Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 3.2.1.","date":"2023-12-04"},{"id":"c33d964b5f43f67bdd224603bd0cc69971ed5804","name":"Ultimate Addons for Contact Form 7 <= 3.2.0 - Reflected Cross-Site Scripting","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/ultimate-addons-for-contact-form-7\/ultimate-addons-for-contact-form-7-320-reflected-cross-site-scripting","description":"The Ultimate Addons for Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","date":"2023-12-04"},{"id":"2efa040d-f439-4603-82c7-b7559c168a5d","name":"Ultimate Addons for Contact Form 7 < 3.2.1 - Reflected Cross-Site Scripting","link":"https:\/\/wpscan.com\/vulnerability\/2efa040d-f439-4603-82c7-b7559c168a5d","description":"The Ultimate Addons for Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","date":null}],"impact":{"cvss":{"version":"3.1","vector":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:C\/C:L\/I:L\/A:L","av":"n","ac":"l","pr":"n","ui":"r","s":"c","c":"l","i":"l","a":"l","score":"7.1","severity":"h","exploitable":"0.0","impact":"0.0"},"cwe":[{"cwe":"CWE-79","name":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","description":"The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users."}]}},{"uuid":"8ee071888b4fa850d1b3733a2fdc1f68227597af5a7af0536ad9797e7160ca9f","name":"Ultra Addons for Contact Form 7 [ultimate-addons-for-contact-form-7] < 3.5.13","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"3.5.13","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2025-6220","name":"CVE-2025-6220","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-6220","description":"","date":null},{"id":"6b62a565209fe9beb479f4a8e081779debfa70b9","name":"Ultimate Addons for Contact Form 7 <= 3.5.12 - Authenticated (Administrator+) Arbitrary File Upload via 'save_options'","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/ultimate-addons-for-contact-form-7\/ultimate-addons-for-contact-form-7-3512-authenticated-administrator-arbitrary-file-upload-via-save-options","description":"The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_options' function in all versions up to, and including, 3.5.12. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.","date":null},{"id":"3b24e4fe3f6ba5926c7bd5a4d45755af8803b2c4","name":"WordPress Ultimate Addons for Contact Form 7 Plugin <= 3.5.12 is vulnerable to Arbitrary File Upload","link":"https:\/\/patchstack.com\/database\/wordpress\/plugin\/ultimate-addons-for-contact-form-7\/vulnerability\/wordpress-ultimate-addons-for-contact-form-7-plugin-3-5-12-authenticated-administrator-arbitrary-file-upload-via-save-options-vulnerability","description":"

WordPress Ultimate Addons for Contact Form 7 Plugin <= 3.5.12 is vulnerable to Arbitrary File Upload<\/p>

Software: Ultimate Addons for Contact Form 7<\/p>

Fixed in version 3.5.13 <\/p>

Affected Version <= 3.5.12<\/p>

CVE: CVE-2025-6220<\/p>","date":"2025-06-18"}],"impact":[]},{"uuid":"db6b18be0f5815df8566836ac8eb28977ab30f78c6b304b94b7a5f1c84eb6ed6","name":"Ultra Addons for Contact Form 7 [ultimate-addons-for-contact-form-7] < 3.5.20","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"3.5.20","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2025-6212","name":"CVE-2025-6212","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-6212","description":"","date":null},{"id":"8b889aa06921254553cc3aa9a3b9d9465a8edc48","name":"Ultra Addons for Contact Form 7 3.5.11 - 3.5.19 - Unauthenticated Stored Cross-Site Scripting via Database module","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/ultimate-addons-for-contact-form-7\/ultra-addons-for-contact-form-7-3511-3519-unauthenticated-stored-cross-site-scripting-via-database-module","description":"The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Database module in versions 3.5.11 to 3.5.19 due to insufficient input sanitization and output escaping. The unfiltered field names are stored alongside the sanitized values. Later, the admin-side AJAX endpoint ajax_get_table_data() returns those raw names as JSON column headers, and the client-side DataTables renderer injects them directly into the DOM without any HTML encoding. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","date":null}],"impact":[]},{"uuid":"cc7236e027068f5092392b50e3ef6ab34229407fb09dd30098369aaf6eba8d3b","name":"Ultra Addons for Contact Form 7 [ultimate-addons-for-contact-form-7] < 3.5.22","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"3.5.22","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2025-6756","name":"CVE-2025-6756","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-6756","description":"","date":null},{"id":"c8012744557af524dec17a19ec11fd95bfb7a99c","name":"Ultra Addons for Contact Form 7 <= 3.5.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via UACF7_CUSTOM_FIELDS Shortcode","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/ultimate-addons-for-contact-form-7\/ultra-addons-for-contact-form-7-3521-authenticated-contributor-stored-cross-site-scripting-via-uacf7-custom-fields-shortcode","description":"The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's UACF7_CUSTOM_FIELDS shortcode in all versions up to, and including, 3.5.21 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","date":null}],"impact":[]},{"uuid":"0c1ef38c0727e98e9a9986cef3ea5d23c953824287ec1d87c56783906cb83fdd","name":"Ultra Addons for Contact Form 7 [ultimate-addons-for-contact-form-7] < 3.5.34","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"3.5.34","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2025-14356","name":"CVE-2025-14356","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-14356","description":"[en] The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'uacf7_get_generated_pdf' function in all versions up to, and including, 3.5.33. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate and get form submission PDF, when the \"PDF Generator\" and the \"Database\" addons are enabled (disabled by default).","date":"2025-12-12"}],"impact":{"cvss":{"version":"3.1","vector":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:L\/I:N\/A:N","av":"n","ac":"l","pr":"l","ui":"n","s":"u","c":"l","i":"n","a":"n","score":"4.3","severity":"m","exploitable":"0.0","impact":"0.0"},"cwe":[{"cwe":"CWE-639","name":"Authorization Bypass Through User-Controlled Key","description":"The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data."}]}}]},"updated":"1765609494"}

{"error":0,"message":null,"data":{"name":null,"plugin":"wp-toolbar-editor","link":null,"latest":null,"closed":null,"vulnerability":null},"updated":1753774603}
Special Offers

Get %20 off for your first order!

An online book is a resource in book-like form that is only available to read on the Internet.

It differs from the common idea of an e-book.

_
Authors
_

Most Popular Authors

Adam Grant

Psychologist

Dan Brown

American author

James Patterson

Psychologist

J. K. Rowling

British author