Yesterday we noted the recently closed plugin Advanced CF7 DB (Advanced Contact form 7 DB) had numerous security issues. It looks like one of those may have led to it being closed, as subsequent to the closure a new version with the changelog “We have fixed SQL injection related bugs at the back office query.” was submitted. It is interesting that this seems to be rather minor in comparison with some of the other issues, as it looks like by default it is only directly accessible by Administrators.

...

---

This post provides insights on a vulnerability in the WordPress plugin Advanced CF7 DB not discovered by us, where the discoverer hadn't provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so the rest of its contents are limited to subscribers of our service.

If you were using our service, you would have already been warned about this vulnerability if your website is vulnerable due to it. You can try out our service for free and then see the rest of the details of the vulnerability.

For existing customers, please log in to your account to view the rest of the contents of the post.

---

Plugin Security Scorecard Grade for Advanced Contact form 7 DB

Checked on September 5, 2024

See issues causing the plugin to get less than A+ grade