漏洞标题
高级联系表7 DB <1.8.7 - 订阅者+任意文件删除
漏洞描述信息
高级联系表7数据库<1.8.7 - 订阅者+任意文件删除
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
漏洞类别
N/A
漏洞标题
Advanced Contact form 7 DB < 1.8.7 - Subscriber+ Arbitrary File Deletion
漏洞描述信息
The Advanced Contact form 7 DB WordPress plugin before 1.8.7 does not have authorisation nor CSRF checks in the acf7_db_edit_scr_file_delete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to delete arbitrary files on the web server. For example, removing the wp-config.php allows attackers to trigger WordPress setup again, gain administrator privileges and execute arbitrary code or display arbitrary content to the users.
CVSS信息
N/A
漏洞类别
授权机制不正确
漏洞标题
WordPress plugin Advanced Contact form 7 DB 跨站请求伪造漏洞
漏洞描述信息
WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Advanced Contact form 7 DB 1.8.7 之前存在跨站请求伪造漏洞,该漏洞允许任何经过身份验证的用户删除 Web 服务器上的任意文件。
CVSS信息
N/A
漏洞类别
跨站请求伪造