Login Sign Up

CVE-2023-49766

7.1 HIGH
Cross-Site Scripting

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts into web pages generated by the Ultimate Addons for Contact Form 7 WordPress plugin. When users view affected pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:
  • Ultimate Addons for Contact Form 7 WordPress Plugin
Versions: All versions up to and including 3.2.0
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Affects WordPress installations with the vulnerable plugin enabled. No special configuration required for exploitation.

📦 What is this software?

Ultimate Addons For Contact Form 7 by Themefic

View all CVEs affecting Ultimate Addons For Contact Form 7 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, take over WordPress sites, deface websites, or redirect visitors to malicious sites, potentially leading to complete site compromise and data theft.

🟠

Likely Case

Attackers inject malicious JavaScript to steal user session cookies, perform actions as authenticated users, or redirect visitors to phishing pages.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be neutralized before reaching users' browsers, preventing exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is unauthenticated and relatively easy to exploit. Public proof-of-concept details are available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.1 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/ultimate-addons-for-contact-form-7/wordpress-ultimate-addons-for-contact-form-7-plugin-3-2-0-unauthenticated-cross-site-scripting-xss-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Ultimate Addons for Contact Form 7'. 4. Click 'Update Now' if available, or manually update to version 3.2.1+. 5. Verify the plugin version after update.

🔧 Temporary Workarounds

Disable the vulnerable plugin

all

Temporarily disable the Ultimate Addons for Contact Form 7 plugin until patched

wp plugin deactivate ultimate-addons-for-contact-form-7

Implement Content Security Policy (CSP)

all

Add CSP headers to restrict script execution sources

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or configure in web server settings

🧯 If You Can't Patch

  • Disable the Ultimate Addons for Contact Form 7 plugin immediately
  • Implement web application firewall (WAF) rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins → Ultimate Addons for Contact Form 7 version. If version is 3.2.0 or earlier, you are vulnerable.

Check Version:

wp plugin get ultimate-addons-for-contact-form-7 --field=version

Verify Fix Applied:

Verify the plugin version is 3.2.1 or later in WordPress admin panel. Test contact forms for any unexpected script execution.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to contact form endpoints with script tags or JavaScript in parameters
  • Multiple failed attempts to submit forms with encoded payloads

Network Indicators:

  • HTTP requests containing <script> tags or JavaScript in form submission parameters
  • Unusual outbound connections from user browsers after visiting contact forms

SIEM Query:

source="wordpress.log" AND ("<script" OR "javascript:" OR "onerror=" OR "onload=") AND "contact-form-7"

📊 Metadata

CVE ID: CVE-2023-49766
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CWE: CWE-79
Published: December 14, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49766, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)