CVE-2024-3723 in Advanced Contact Form 7 DB Plugininfo

Summary

by MITRE • 06/11/2024

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.2 via the wp-content/uploads/advanced-cf7-upload directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via this plugin through a form.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 05/15/2026

The Advanced Contact Form 7 DB plugin for WordPress presents a critical security vulnerability through improper access control mechanisms that expose sensitive data to unauthenticated attackers. This vulnerability affects all plugin versions up to and including 2022.02, creating a significant risk for WordPress installations that rely on this plugin for form handling and data collection. The flaw manifests through the wp-content/uploads/advanced-cf7-upload directory, which lacks proper authentication checks and authorization controls, allowing malicious actors to directly access uploaded files without requiring valid credentials or administrative privileges.

The technical implementation of this vulnerability stems from inadequate directory permissions and access control enforcement within the plugin's file handling system. When users submit forms through the advanced contact form 7 interface, any attachments or sensitive data uploaded through these forms are stored in the designated upload directory without proper security measures. This creates a persistent exposure where attackers can enumerate and download files that should remain protected, including personal information, confidential documents, and other sensitive data that users expect to be secure within the form submission process. The vulnerability aligns with CWE-284, which addresses improper access control, and specifically demonstrates weak authorization mechanisms that fail to verify user credentials before granting access to protected resources.

The operational impact of this vulnerability extends beyond simple data exposure, as it enables attackers to systematically harvest sensitive information from form submissions across multiple WordPress installations. Unauthenticated attackers can exploit this weakness to gain access to personal identifiable information, business documents, and other confidential data that users submit through contact forms. This exposure creates significant risk for organizations that handle sensitive data through WordPress-based contact forms, potentially leading to identity theft, corporate espionage, or regulatory compliance violations. The vulnerability also facilitates automated attacks where malicious actors can continuously scan for exposed directories and systematically harvest data without requiring any authentication or privileged access.

Organizations should immediately implement mitigations including restricting access to the upload directory through web server configuration, implementing proper authentication checks for file access, and applying the latest plugin updates when available. Network-level protections such as web application firewalls can help detect and block unauthorized access attempts to the vulnerable directory structure. Additionally, administrators should conduct thorough audits of their WordPress installations to identify all instances of this plugin and ensure proper access controls are in place. The vulnerability demonstrates the importance of implementing defense-in-depth strategies and proper access control mechanisms, aligning with ATT&CK technique T1213 which covers data from information repositories. Organizations should also consider implementing automated monitoring for unauthorized access attempts and establish incident response procedures to address potential data breaches resulting from this exposure.

Reservation

04/12/2024

Disclosure

06/11/2024

Moderation

accepted

CPE

ready

EPSS

0.00439

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!