5.3
CVE-2025-3247
- EPSS 0.21%
- Veröffentlicht 16.04.2025 05:23:00
- Zuletzt bearbeitet 08.07.2025 18:13:23
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginContact Form 7 <= 6.0.5 - Order Replay Vulnerability
Contact Form 7 <= 6.0.5 - Order Replay Vulnerability
The Contact Form 7 plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 6.0.5 via the 'wpcf7_stripe_skip_spam_check' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order.
Mögliche Gegenmaßnahme
Contact Form 7: Update to version 6.0.6, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Rocklobster ≫ Contact Form 7 SwPlatformwordpress Version < 6.0.6
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Contact Form 7
Version
*-6.0.5
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.21% | 0.115 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@wordfence.com | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
CWE-354 Improper Validation of Integrity Check Value
The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.
https://www.wordfence.com/threat-intel/vulnerabilities/id/38257dbf-288e-4028-af65-85f5389888ac?source=cve
https://plugins.trac.wordpress.org/browser/contact-form-7/tags/6.0.5/modules/stripe/stripe.php#L114
https://plugins.trac.wordpress.org/changeset/3270138/
https://www.wordfence.com/threat-intel/vulnerabilities/id/38257dbf-288e-4028-af65-85f5389888ac