CVE-2022-45285
https://notcve.org/view.php?id=CVE-2022-45285
Vsourz Digital Advanced Contact form 7 DB Versions 1.7.2 and 1.9.1 is vulnerable to Cross Site Scripting (XSS). • https://github.com/IthacaLabs/Vsourz-Digital/blob/main/AdvancedContactForm_CF7_DB_XSS https://github.com/IthacaLabs/Vsourz-Digital/blob/main/AdvancedContactForm_CF7_DB_XSS/AdvancedContactForm_CF7_DB_XSS.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-29408 – WordPress Advanced Contact form 7 DB plugin <= 1.8.7 - Unauthenticated Persistent Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2022-29408
Persistent Cross-Site Scripting (XSS) vulnerability in Vsourz Digital's Advanced Contact form 7 DB plugin <= 1.8.7 at WordPress. Una vulnerabilidad persistente de tipo cross-Site Scripting (XSS) en el plugin Advanced Contact form 7 DB de Vsourz Digital versiones anteriores a 1.8.7 incluyéndola, en WordPress • https://patchstack.com/database/vulnerability/advanced-cf7-db/wordpress-advanced-contact-form-7-db-plugin-1-8-7-persistent-cross-site-scripting-xss-vulnerability https://wordpress.org/plugins/advanced-cf7-db • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-24905 – Advanced Contact form 7 DB < 1.8.7 - Subscriber+ Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2021-24905
The Advanced Contact form 7 DB WordPress plugin before 1.8.7 does not have authorisation nor CSRF checks in the acf7_db_edit_scr_file_delete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to delete arbitrary files on the web server. For example, removing the wp-config.php allows attackers to trigger WordPress setup again, gain administrator privileges and execute arbitrary code or display arbitrary content to the users. El plugin Advanced Contact form 7 DB de WordPress versiones anteriores a 1.8.7, no presenta comprobaciones de autorización ni de tipo CSRF en la acción AJAX acf7_db_edit_scr_file_delete, y no valida el archivo a eliminar, permitiendo a cualquier usuario autenticado eliminar archivos arbitrarios en el servidor web. Por ejemplo, eliminar el archivo wp-config.php permite a atacantes volver a desencadenar la configuración de WordPress, alcanzar privilegios de administrador y ejecutar código arbitrario o mostrar contenido arbitrario a usuarios • https://wpscan.com/vulnerability/cf022415-6614-4b95-913b-802186766ae6 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-863: Incorrect Authorization •
CVE-2019-13571 – Advanced Contact Form 7 DB <= 1.6.2 - SQL Injection
https://notcve.org/view.php?id=CVE-2019-13571
A SQL injection vulnerability exists in the Vsourz Digital Advanced CF7 DB plugin through 1.6.1 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system. Se presenta una vulnerabilidad de inyección SQL en el complemento Advanced CF7 DB de Vsourz Digital hasta versión 1.6.1 para WordPress. La explotación con éxito de esta vulnerabilidad permitiría a un atacante remoto ejecutar comandos SQL arbitrarios sobre el sistema afectado. A SQL injection vulnerability exists in the Vsourz Digital Advanced CF7 DB plugin through 1.6.1 for WordPress. • https://fortiguard.com/zeroday/FG-VD-19-093 https://github.com/beerpwn/ctf/blob/master/CVE/CVE-2019-13571/report.pdf https://github.com/beerpwn/ctf/tree/master/CVE/CVE-2019-13571 https://plugins.trac.wordpress.org/changeset/2123623 https://wordpress.org/plugins/advanced-cf7-db/#developers https://wpvulndb.com/vulnerabilities/9479 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •