CVE-2024-12255

The Accept Stripe Payments Using Contact Form 7 plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.5 via the cf7sa-info.php file that returns phpinfo() data. This makes it possible for unauthenticated attackers to extract configuration information that can be leveraged in another attack.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3205295%40accept-stripe-payments-using-contact-form-7&new=3205295%40accept-stripe-payments-using-contact-form-7&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/8a9e1325-1027-41ea-93be-c321aef61dea?source=cve

Configurations

No configuration.

History

12 Dec 2024, 15:15

Type	Values Removed	Values Added
CWE		CWE-732
Summary		(es) El complemento Accept Stripe Payments Using Contact Form 7 para WordPress es vulnerable a la exposición de información en todas las versiones hasta la 2.5 incluida a través del archivo cf7sa-info.php que devuelve datos de phpinfo(). Esto permite que atacantes no autenticados extraigan información de configuración que puede aprovecharse en otro ataque.

12 Dec 2024, 06:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-12-12 06:15

Updated : 2024-12-12 15:15

NVD link : CVE-2024-12255

Mitre link : CVE-2024-12255

CVE.ORG link : CVE-2024-12255

JSON object : View

Products Affected

No product.

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-732

Incorrect Permission Assignment for Critical Resource

5.3 /10