// For flags

CVE-2024-4144

Simple Basic Contact Form <= 20240502 - Unauthenticated Arbitrary Shortcode Execution

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

The Simple Basic Contact Form plugin for WordPress for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 20240502. This allows unauthenticated attackers to execute arbitrary shortcodes. The severity and exploitability depends on the functionality of other plugins installed in the environment.

El complemento Simple Basic Contact Form para WordPress para WordPress es vulnerable a la ejecución de códigos cortos arbitrarios en todas las versiones hasta la 20240502 incluida. Esto permite a atacantes no autenticados ejecutar códigos cortos arbitrarios. La gravedad y la explotabilidad dependen de la funcionalidad de otros complementos instalados en el entorno.

*Credits: Matthew Rollings
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2024-04-24 CVE Reserved
  • 2024-05-13 CVE Published
  • 2024-05-15 EPSS Updated
  • 2024-08-01 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Wpkube
Search vendor "Wpkube"
 Simple Basic Contact Form
Search vendor "Wpkube" for product "Simple Basic Contact Form"
 <= 20240502
Search vendor "Wpkube" for product "Simple Basic Contact Form" and version " <= 20240502"
en
Affected