contact form 7 vulnerability

contact form 7 vulnerability

Posted by Peter Bassill on 26/02/2014


Contact Form 7 Vulnerability was published by our penetration tester, Hannah Sharp, in February of 2014. The Rock Lobster Contact Form 7 Wordpress plugin, prior to version 3.7.2, could allow remote attackers to bypass the CAPTCHA protection mechanism and submit arbitrary form data by omitting the _wpcf7_captcha_challenge_captcha-719 parameter.



The Contact Form 7 vulnerability was discovered by Hannah Sharp during a routine penetration test of our own website following the deployment of the latest plugin updates. Rock Lobster was contacted immediately and was very quick to turn around the fix and updates. The vulnerability was published under CVE-2014-2265.





Author
Hannah Sharp


Affected
Contact Form 7 Wordpress Plugin


Issue
It is possible to bypass the Captcha challenge by omitting the _wpcf7_captcha_challenge_captcha-719 value


Risk
No anti-robot protection on the for can result in misuse of the form by spammers


CVE
CVE-2014-2265


CVSS
5.0


Confidentiality Impact
None


Integrity Impact
Partial


Availability Impact
None


Access Complexity
Low


Authentication
Not Required


Access Gained
None


Vulnerability Type
Bypass a restriction


CWE
264



Contact us



  • Worklab, Europort, Gibraltar

  • +350 540 73836

  • hello@wearehedgehog.com