Vulnerabilities > Rocklobster
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-01-11 | CVE-2023-6630 | Authorization Bypass Through User-Controlled Key vulnerability in Rocklobster Contact Form 7 The Contact Form 7 – Dynamic Text Extension plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the CF7_get_custom_field and CF7_get_current_user shortcodes due to missing validation on a user controlled key. | 4.3 |
| 2023-12-01 | CVE-2023-6449 | Unrestricted Upload of File with Dangerous Type vulnerability in Rocklobster Contact Form 7 The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'validate' function and insufficient blocklisting on the 'wpcf7_antiscript_file_name' function in versions up to, and including, 5.8.3. | 7.2 |
| 2023-11-06 | CVE-2023-40609 | SQL Injection vulnerability in Rocklobster Contact Form 7 Custom Validation 1.1.3 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aiyaz, maheshpatel Contact form 7 Custom validation allows SQL Injection.This issue affects Contact form 7 Custom validation: from n/a through 1.1.3. | 9.8 |
| 2021-04-05 | CVE-2021-24159 | Cross-Site Request Forgery (CSRF) vulnerability in Rocklobster Contact Form 7 Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a request to inject malicious JavaScript on a site using the Contact Form 7 Style WordPress plugin through 3.1.9. | 8.8 |
| 2020-12-17 | CVE-2020-35489 | Unrestricted Upload of File with Dangerous Type vulnerability in Rocklobster Contact Form 7 The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters. | 10.0 |
| 2019-08-22 | CVE-2018-20979 | Unspecified vulnerability in Rocklobster Contact Form 7 The contact-form-7 plugin before 5.0.4 for WordPress has privilege escalation because of capability_type mishandling in register_post_type. | 7.5 |
| 2014-03-14 | CVE-2014-2265 | Permissions, Privileges, and Access Controls vulnerability in Rocklobster Contact Form 7 3.6/3.7/3.7.1 Rock Lobster Contact Form 7 before 3.7.2 allows remote attackers to bypass the CAPTCHA protection mechanism and submit arbitrary form data by omitting the _wpcf7_captcha_challenge_captcha-719 parameter. | 5.0 |