CVE-2024-10084

Published: Nov 5, 2024Modified: Jun 17, 2026

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: security@wordfence.com (Secondary)

Description

The Contact Form 7 – Dynamic Text Extension plugin for WordPress is vulnerable to Basic Information Disclosure in all versions up to, and including, 4.5 via the CF7_get_post_var shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract the titles and text contents of private and password-protected posts, they do not own.

Affected (1)

Products: Sevenspark: Contact Form 7 Dynamic Text Extension

1 product

Contact Form 7 Dynamic Text Extension

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Sevenspark Contact Form 7 Dynamic Text Extension	Before 4.5.1

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (2)

https://plugins.trac.wordpress.org/browser/contact-form-7-dynamic-text-extension/tags/4.5.0/includes/shortcodes.php#L225

Source: security@wordfence.com

Product

https://www.wordfence.com/threat-intel/vulnerabilities/id/e051a83e-ad5a-4789-bfee-e03aa9d6a3fc?source=cve

Source: security@wordfence.com

Third Party Advisory

Timeline

No history available yet.