CVE-2021-24790 - OpenCVE

The Contact Form Advanced Database WordPress plugin through 1.0.8 does not have any authorisation as well as CSRF checks in its delete_cf7_data and export_cf7_data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The delete_cf7_data would lead to arbitrary metadata deletion, as well as PHP Object Injection if a suitable gadget chain is present in another plugin, as user data is passed to the maybe_unserialize() function without being first validated.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Contact Form Advanced Database Project	Contact Form Advanced Database

Configuration 1 [-]

cpe:2.3:a:contact_form_advanced_database_project:contact_form_advanced_database:*:*:*:*:*:wordpress:*:*

References

Link	Resource
https://wpscan.com/vulnerability/adc5dd9b-0781-4cea-8cc5-2c10ac35b968	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: WPScan

Published: 2021-12-13T10:40:54

Updated: 2021-12-13T10:40:54

Reserved: 2021-01-14T00:00:00

Link: CVE-2021-24790

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-12-13T11:15:08.593

Modified: 2022-10-24T16:35:12.407

Link: CVE-2021-24790

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Contact Form Advanced Database", "vendor": "Unknown", "versions": [{"lessThanOrEqual": "1.0.8", "status": "affected", "version": "1.0.8", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Quentin VILLAIN (3wsec)"}], "descriptions": [{"lang": "en", "value": "The Contact Form Advanced Database WordPress plugin through 1.0.8 does not have any authorisation as well as CSRF checks in its delete_cf7_data and export_cf7_data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The delete_cf7_data would lead to arbitrary metadata deletion, as well as PHP Object Injection if a suitable gadget chain is present in another plugin, as user data is passed to the maybe_unserialize() function without being first validated."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-13T10:40:54", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wpscan.com/vulnerability/adc5dd9b-0781-4cea-8cc5-2c10ac35b968"}], "source": {"discovery": "EXTERNAL"}, "title": "Contact Form Advanced Database <= 1.0.8 - Unauthorised AJAX Calls", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2021-24790", "STATE": "PUBLIC", "TITLE": "Contact Form Advanced Database <= 1.0.8 - Unauthorised AJAX Calls"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Contact Form Advanced Database", "version": {"version_data": [{"version_affected": "<=", "version_name": "1.0.8", "version_value": "1.0.8"}]}}]}, "vendor_name": "Unknown"}]}}, "credit": [{"lang": "eng", "value": "Quentin VILLAIN (3wsec)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Contact Form Advanced Database WordPress plugin through 1.0.8 does not have any authorisation as well as CSRF checks in its delete_cf7_data and export_cf7_data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The delete_cf7_data would lead to arbitrary metadata deletion, as well as PHP Object Injection if a suitable gadget chain is present in another plugin, as user data is passed to the maybe_unserialize() function without being first validated."}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-862 Missing Authorization"}]}]}, "references": {"reference_data": [{"name": "https://wpscan.com/vulnerability/adc5dd9b-0781-4cea-8cc5-2c10ac35b968", "refsource": "MISC", "url": "https://wpscan.com/vulnerability/adc5dd9b-0781-4cea-8cc5-2c10ac35b968"}]}, "source": {"discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2021-24790", "datePublished": "2021-12-13T10:40:54", "dateReserved": "2021-01-14T00:00:00", "dateUpdated": "2021-12-13T10:40:54", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:contact_form_advanced_database_project:contact_form_advanced_database:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "226F3910-A4EA-4B23-939E-2AF7CF4C9A32", "versionEndIncluding": "1.0.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Contact Form Advanced Database WordPress plugin through 1.0.8 does not have any authorisation as well as CSRF checks in its delete_cf7_data and export_cf7_data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The delete_cf7_data would lead to arbitrary metadata deletion, as well as PHP Object Injection if a suitable gadget chain is present in another plugin, as user data is passed to the maybe_unserialize() function without being first validated."}, {"lang": "es", "value": "El plugin Contact Form Advanced Database de WordPress versiones hasta 1.0.8, no presenta ninguna autorizaci\u00f3n ni comprobaciones de tipo CSRF en sus acciones delete_cf7_data y export_cf7_data AJAX, disponibles para cualquier usuario autenticado, lo que podr\u00eda permitir que usuarios con un rol tan bajo como el de suscriptor las ejecuten. La acci\u00f3n delete_cf7_data podr\u00eda conducir a una eliminaci\u00f3n arbitraria de metadatos, as\u00ed como a una inyecci\u00f3n de objetos PHP si una cadena de gadgets apropiada est\u00e1 presente en otro plugin, ya que los datos del usuario se pasan a la funci\u00f3n maybe_unserialize() sin ser comprobados previamente"}], "id": "CVE-2021-24790", "lastModified": "2022-10-24T16:35:12.407", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-12-13T11:15:08.593", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/adc5dd9b-0781-4cea-8cc5-2c10ac35b968"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}, {"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "contact@wpscan.com", "type": "Secondary"}]}