Contact form 7 vulnerability found by Hedgehog
Contact form 7 vulnerability found by Hedgehog
The Contact Form 7 vulnerability was discovered by Hannah Sharp during a routine penetration test of our own website following the deployment of the latest plugin updates.
Contact form 7 vulnerability found by Hedgehog
Posted on 2014-02-26 by Peter Bassill in category Penetration Testing.
Contact Form 7 Vulnerability was published by our penetration tester, Hannah Sharp, in February of 2014. The Rock Lobster Contact Form 7 WordPress plugin, prior to version 3.7.2, could allow remote attackers to bypass the CAPTCHA protection mechanism and submit arbitrary form data by omitting the _wpcf7_captcha_challenge_captcha-719 parameter.
The Contact Form 7 vulnerability was discovered by Hannah Sharp during a routine <a href="/penetration-testing/web-application/">web application</a> <a href="/penetration-testing/">penetration test</a> of our own website following the deployment of the latest plugin updates. Rock Lobster was contacted immediately and was very quick to turn around the fix and updates. The vulnerability was published under CVE-2014-2265.
| Author | Hannah Sharp |
| Affected | Contact Form 7 Wordpress Plugin |
| Issue | It is possible to bypass the Captcha challenge by omitting the _wpcf7_captcha_challenge_captcha-719 value |
| Risk | No anti-robot protection on the for can result in misuse of the form by spammers |
| CVE | CVE-2014-2265 |
| CVSS | 5.0 |
| Confidentiality Impact | None |
| Integrity Impact | Partial |
| Availability Impact | None |
| Access Complexity | Low |
| Authentication | Not Required |
| Access Gained | None |
| Vulnerability Type | Bypass a restriction |
| CWE | 264 |
Get in Touch
Kindly fill the form and we will get back to you.
