CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5654 – CF7 Google Sheets Connector <= 5.0.9 - Missing Authorization to Limited Site Configuration Update
https://notcve.org/view.php?id=CVE-2024-5654
The CF7 Google Sheets Connector plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'execute_post_data_cg7_free' function in all versions up to, and including, 5.0.9. This makes it possible for unauthenticated attackers to toggle site configuration settings, including WP_DEBUG, WP_DEBUG_LOG, SCRIPT_DEBUG, and SAVEQUERIES. El complemento CF7 Google Sheets Connector para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función 'execute_post_data_cg7_free' en todas las versiones hasta la 5.0.9 incluida. Esto hace posible que atacantes no autenticados alterne las configuraciones de configuración del sitio, incluidos WP_DEBUG, WP_DEBUG_LOG, SCRIPT_DEBUG y SAVEQUERIES. • https://plugins.trac.wordpress.org/browser/cf7-google-sheets-connector/trunk/includes/class-gs-service.php#L52 https://plugins.trac.wordpress.org/changeset/3099184 https://www.wordfence.com/threat-intel/vulnerabilities/id/c0da4d55-5025-47cf-9f45-377d8943fc94?source=cve • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-44989 – WordPress CF7 Google Sheets Connector plugin <= 5.0.5 - Sensitive Data Exposure via Debug Log vulnerability
https://notcve.org/view.php?id=CVE-2023-44989
Insertion of Sensitive Information into Log File vulnerability in GSheetConnector CF7 Google Sheets Connector.This issue affects CF7 Google Sheets Connector: from n/a through 5.0.5. Vulnerabilidad de inserción de información confidencial en un archivo de registro en GSheetConnector CF7 Google Sheets Connector. Este problema afecta a CF7 Google Sheets Connector: desde n/a hasta 5.0.5. The CF7 Google Sheets Connector plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.0.5 via the debug log functionality in google-sheet-connector.php. This makes it possible for unauthenticated attackers to extract sensitive data. • https://patchstack.com/database/vulnerability/cf7-google-sheets-connector/wordpress-cf7-google-sheets-connector-plugin-5-0-5-sensitive-data-exposure-via-debug-log-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2023-2320 – CF7 Google Sheets Connector < 5.0.2 - Reflected XSS
https://notcve.org/view.php?id=CVE-2023-2320
The CF7 Google Sheets Connector WordPress plugin before 5.0.2, cf7-google-sheets-connector-pro WordPress plugin through 5.0.2 does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin The CF7 Google Sheets Connector plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘code’ parameter in versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/f17ccbaa-2fcd-4f17-a4da-73f2bc8a4fe9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •