CVE-2024-3870 - Vulnerability Details - OpenCVE

The Contact Form 7 Database Addon – CFDB7 plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.2.6.8 via the cfdb7_before_send_mail function. This can allow unauthenticated attackers to extract sensitive data, such as Personally Identifiable Information, from files uploaded by users.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00982.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Arshidkv12 Subscribe	Contact Form Addon Subscribe

No data.

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-32438	The Contact Form 7 Database Addon – CFDB7 plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.2.6.8 via the cfdb7_before_send_mail function. This can allow unauthenticated attackers to extract sensitive data, such as Personally Identifiable Information, from files uploaded by users.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/contact-form-cfdb7/trunk/contact-form-cfdb-7.php#L143
https://plugins.trac.wordpress.org/changeset/3077090/
https://www.wordfence.com/threat-intel/vulnerabilities/id/995a6c1d-fb49-4953-9828-f6594ac45fa7?source=cve

History

Thu, 26 Feb 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Arshidkv12 Arshidkv12 contact Form Addon
CPEs		cpe:2.3:a:arshidkv12:contact_form_addon::::::::
Vendors & Products		Arshidkv12 Arshidkv12 contact Form Addon
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-05-02T16:52:26.481Z

Updated: 2024-08-01T20:26:57.223Z

Reserved: 2024-04-16T00:17:43.172Z

Link: CVE-2024-3870

Vulnrichment

Updated: 2024-08-01T20:26:57.223Z

NVD

Status : Awaiting Analysis

Published: 2024-05-02T17:15:31.743

Modified: 2024-11-21T09:30:35.940

Link: CVE-2024-3870

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

No weakness.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3870", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-04-16T00:17:43.172Z", "datePublished": "2024-05-02T16:52:26.481Z", "dateUpdated": "2024-08-01T20:26:57.223Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-05-02T16:52:26.481Z"}, "affected": [{"vendor": "arshidkv12", "product": "Contact Form 7 Database Addon \u2013 CFDB7", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "1.2.6.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Contact Form 7 Database Addon \u2013 CFDB7 plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.2.6.8 via the cfdb7_before_send_mail function. This can allow unauthenticated attackers to extract sensitive data, such as Personally Identifiable Information, from files uploaded by users."}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/995a6c1d-fb49-4953-9828-f6594ac45fa7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/contact-form-cfdb7/trunk/contact-form-cfdb-7.php#L143"}, {"url": "https://plugins.trac.wordpress.org/changeset/3077090/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Information Exposure"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Tim Coen"}], "timeline": [{"time": "2024-04-26T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"affected": [{"vendor": "arshidkv12", "product": "contact_form_addon", "cpes": ["cpe:2.3:a:arshidkv12:contact_form_addon:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.6.8", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-05-02T19:24:43.942937Z", "id": "CVE-2024-3870", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T19:43:40.890Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:26:57.223Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/995a6c1d-fb49-4953-9828-f6594ac45fa7?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/contact-form-cfdb7/trunk/contact-form-cfdb-7.php#L143", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3077090/", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/995a6c1d-fb49-4953-9828-f6594ac45fa7?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/contact-form-cfdb7/trunk/contact-form-cfdb-7.php#L143", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3077090/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:26:57.223Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3870", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-02T19:24:43.942937Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:arshidkv12:contact_form_addon:*:*:*:*:*:*:*:*"], "vendor": "arshidkv12", "product": "contact_form_addon", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.2.6.8"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-02T19:25:59.928Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Tim Coen"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "arshidkv12", "product": "Contact Form 7 Database Addon \u2013 CFDB7", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.2.6.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-04-26T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/995a6c1d-fb49-4953-9828-f6594ac45fa7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/contact-form-cfdb7/trunk/contact-form-cfdb-7.php#L143"}, {"url": "https://plugins.trac.wordpress.org/changeset/3077090/"}], "descriptions": [{"lang": "en", "value": "The Contact Form 7 Database Addon \u2013 CFDB7 plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.2.6.8 via the cfdb7_before_send_mail function. This can allow unauthenticated attackers to extract sensitive data, such as Personally Identifiable Information, from files uploaded by users."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Information Exposure"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-05-02T16:52:26.481Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3870", "state": "PUBLISHED", "dateUpdated": "2024-08-01T20:26:57.223Z", "dateReserved": "2024-04-16T00:17:43.172Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-05-02T16:52:26.481Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "The Contact Form 7 Database Addon \u2013 CFDB7 plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.2.6.8 via the cfdb7_before_send_mail function. This can allow unauthenticated attackers to extract sensitive data, such as Personally Identifiable Information, from files uploaded by users."}, {"lang": "es", "value": "El complemento Contact Form 7 Database Addon \u2013 CFDB7 para WordPress es vulnerable a la exposici\u00f3n de informaci\u00f3n confidencial en versiones hasta la 1.2.6.8 incluida a trav\u00e9s de la funci\u00f3n cfdb7_before_send_mail. Esto puede permitir a atacantes no autenticados extraer datos confidenciales, como informaci\u00f3n de identificaci\u00f3n personal, de archivos cargados por los usuarios."}], "id": "CVE-2024-3870", "lastModified": "2024-11-21T09:30:35.940", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-05-02T17:15:31.743", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/contact-form-cfdb7/trunk/contact-form-cfdb-7.php#L143"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3077090/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/995a6c1d-fb49-4953-9828-f6594ac45fa7?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://plugins.trac.wordpress.org/browser/contact-form-cfdb7/trunk/contact-form-cfdb-7.php#L143"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://plugins.trac.wordpress.org/changeset/3077090/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/995a6c1d-fb49-4953-9828-f6594ac45fa7?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis"}