CVE-2024-12255

Published: Dec 12, 2024Modified: Jul 2, 2025

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: security@wordfence.com (Secondary)

Description

The Accept Stripe Payments Using Contact Form 7 plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.5 via the cf7sa-info.php file that returns phpinfo() data. This makes it possible for unauthenticated attackers to extract configuration information that can be leveraged in another attack.

Affected (1)

Products: Zealousweb: Accept Stripe Payments Using Contact Form 7

1 product

Accept Stripe Payments Using Contact Form 7

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Zealousweb Accept Stripe Payments Using Contact Form 7	Before 2.6

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References (2)

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3205295%40accept-stripe-payments-using-contact-form-7&new=3205295%40accept-stripe-payments-using-contact-form-7&sfp_email=&sfph_mail=

Source: security@wordfence.com

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/8a9e1325-1027-41ea-93be-c321aef61dea?source=cve

Source: security@wordfence.com

ExploitThird Party Advisory

Timeline

No history available yet.