CVE-2022-0404
Last modified
CVE-2022-0404 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. The Material Design for Contact Form 7 WordPress plugin through 2.6.4 does not check authorization or that the option mentioned in the notice param belongs to the plugin when processing requests to the cf7md_dismiss_notice action, allowing any logged in user (with roles as low as Subscriber) to set arbitrary options to true, potentially leading to Denial of Service by breaking the site.. EPSS estimates a 1.04% chance of exploitation in the next 30 days.
Description
The Material Design for Contact Form 7 WordPress plugin through 2.6.4 does not check authorization or that the option mentioned in the notice param belongs to the plugin when processing requests to the cf7md_dismiss_notice action, allowing any logged in user (with roles as low as Subscriber) to set arbitrary options to true, potentially leading to Denial of Service by breaking the site.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Material Design For Contact Form 7 Project | Material Design For Contact Form 7 | <= 2.6.4 |
References
- https://wpscan.com/vulnerability/6d0932bb-d515-4432-b67b-16aba34bd285Exploit, Third Party Advisory
- https://wpscan.com/vulnerability/6d0932bb-d515-4432-b67b-16aba34bd285Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-0404?
How severe is CVE-2022-0404?
How do I fix CVE-2022-0404?
Are you affected by CVE-2022-0404?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST