CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 2CVE-2022-45285
https://notcve.org/view.php?id=CVE-2022-45285
Vsourz Digital Advanced Contact form 7 DB Versions 1.7.2 and 1.9.1 is vulnerable to Cross Site Scripting (XSS). • https://github.com/IthacaLabs/Vsourz-Digital/blob/main/AdvancedContactForm_CF7_DB_XSS https://github.com/IthacaLabs/Vsourz-Digital/blob/main/AdvancedContactForm_CF7_DB_XSS/AdvancedContactForm_CF7_DB_XSS.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29408 – WordPress Advanced Contact form 7 DB plugin <= 1.8.7 - Unauthenticated Persistent Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2022-29408
Persistent Cross-Site Scripting (XSS) vulnerability in Vsourz Digital's Advanced Contact form 7 DB plugin <= 1.8.7 at WordPress. Una vulnerabilidad persistente de tipo cross-Site Scripting (XSS) en el plugin Advanced Contact form 7 DB de Vsourz Digital versiones anteriores a 1.8.7 incluyéndola, en WordPress • https://patchstack.com/database/vulnerability/advanced-cf7-db/wordpress-advanced-contact-form-7-db-plugin-1-8-7-persistent-cross-site-scripting-xss-vulnerability https://wordpress.org/plugins/advanced-cf7-db • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24905 – Advanced Contact form 7 DB < 1.8.7 - Subscriber+ Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2021-24905
The Advanced Contact form 7 DB WordPress plugin before 1.8.7 does not have authorisation nor CSRF checks in the acf7_db_edit_scr_file_delete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to delete arbitrary files on the web server. For example, removing the wp-config.php allows attackers to trigger WordPress setup again, gain administrator privileges and execute arbitrary code or display arbitrary content to the users. El plugin Advanced Contact form 7 DB de WordPress versiones anteriores a 1.8.7, no presenta comprobaciones de autorización ni de tipo CSRF en la acción AJAX acf7_db_edit_scr_file_delete, y no valida el archivo a eliminar, permitiendo a cualquier usuario autenticado eliminar archivos arbitrarios en el servidor web. Por ejemplo, eliminar el archivo wp-config.php permite a atacantes volver a desencadenar la configuración de WordPress, alcanzar privilegios de administrador y ejecutar código arbitrario o mostrar contenido arbitrario a usuarios • https://wpscan.com/vulnerability/cf022415-6614-4b95-913b-802186766ae6 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-863: Incorrect Authorization •