contact form 7 vulnerability

Contact Form 7 Vulnerability was published by our penetration tester, Hannah Sharp, in February of 2014. The Rock Lobster Contact Form 7 WordPress plugin, prior to version 3.7.2, could allow remote attackers to bypass the CAPTCHA protection mechanism and submit arbitrary form data by omitting the _wpcf7_captcha_challenge_captcha-719 parameter.

The Contact Form 7 vulnerability was discovered by Hannah Sharp during a routine penetration test of our own website following the deployment of the latest plugin updates. Rock Lobster was contacted immediately and was very quick to turn around the fix and updates. The vulnerability was published under CVE-2014-2265.

AuthorHannah Sharp
AffectedContact Form 7 WordPress Plugin
IssueIt is possible to bypass the Captcha challenge by omitting the _wpcf7_captcha_challenge_captcha-719 value
RiskNo anti-robot protection on the for can result in misuse of the form by spammers
CVECVE-2014-2265
CVSS5.0
Confidentiality ImpactNone
Integrity ImpactPartial
Availability ImpactNone
Access ComplexityLow
AuthenticationNot Required
Access GainedNone
Vulnerability TypeBypass a restriction
CWE264