CVE-2021-24905

CVE-2021-24905: Advanced Contact form 7 DB < 1.8.7 - Subscriber+ Arbitrary File Deletion

Vendor Unknown
Product Advanced Contact form 7 DB
Weakness CWE-863 · Incorrect authorization
Published March 21, 2022
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

The Advanced Contact form 7 DB WordPress plugin before 1.8.7 does not have authorisation nor CSRF checks in the acf7_db_edit_scr_file_delete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to delete arbitrary files on the web server. For example, removing the wp-config.php allows attackers to trigger WordPress setup again, gain administrator privileges and execute arbitrary code or display arbitrary content to the users.

Key dates

02Disclosure timeline

March 21, 2022 CVE published
August 3, 2024 Record updated