CVE-2024-13717
📋 TL;DR
This vulnerability allows authenticated WordPress users with subscriber-level access or higher to enable or disable widgets without proper authorization. It affects all versions of the Contact Form and Calls To Action by vcita plugin up to and including 2.7.1. Attackers can manipulate widget states on vulnerable WordPress sites.
💻 Affected Systems
- Contact Form and Calls To Action by vcita WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could disable critical contact forms or calls-to-action, disrupting business operations and lead generation on affected websites.
Likely Case
Malicious users could toggle widget visibility, causing minor site functionality disruptions or confusing legitimate users.
If Mitigated
With proper user role management and monitoring, impact is limited to temporary widget state changes that can be quickly reverted.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple. The vulnerability is publicly documented with code references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3158825/lead-capturing-call-to-actions-by-vcita/trunk/vcita-ajax-function.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Contact Form and Calls To Action by vcita'. 4. Click 'Update Now' if available, or manually update to version 2.7.2+. 5. Verify plugin is active after update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched version is available
wp plugin deactivate lead-capturing-call-to-actions-by-vcita
User Role Restriction
linuxTemporarily restrict subscriber-level users from accessing the site
wp user list --role=subscriber --field=ID | xargs wp user set-role administrator
🧯 If You Can't Patch
- Remove the vcita plugin entirely and use alternative contact form solutions
- Implement web application firewall rules to block requests to vcita_ajax_toggle_* endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for 'Contact Form and Calls To Action by vcita' version 2.7.1 or earlierCheck Version:
wp plugin get lead-capturing-call-to-actions-by-vcita --field=versionVerify Fix Applied:
Verify plugin version is 2.7.2 or higher in WordPress admin plugins page📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=vcita_ajax_toggle_ae or vcita_ajax_toggle_contact
- Unauthorized user IDs accessing widget toggle functions
Network Indicators:
- Ajax requests to toggle endpoints from non-admin user accounts
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND ("vcita_ajax_toggle_ae" OR "vcita_ajax_toggle_contact")