Cimatti Contact Forms
Moderate fix1 remedy
cpe:2.3:a:cimatti:contact_forms:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 1.9.4
WordPress Contact Forms by Cimatti Missing Authorization Vulnerability in File Download Function
Vulnerability
Patched
A vulnerability exists in the WordPress Contact Forms by Cimatti plugin, affecting all versions through 1.9.4. The issue arises from a missing capability check in the 'accua_forms_download_submitted_file()' function, allowing unauthenticated users to download files submitted by other users via the contact forms.
Impact
Exploitation of this vulnerability allows for unauthorized access to user-submitted files, potentially leading to privacy violations or data leaks.
Reproduction
To reproduce this vulnerability, send a request to 'admin-ajax.php' with the action 'accua_forms_download_submitted_file', along with the 'subid', 'field', and 'file' parameters. The request can be made without authentication, bypassing any user permission checks.
Remediation
Users are advised to update the WordPress Contact Forms by Cimatti plugin to version 1.9.5 or later.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
1.0impact
0.6exploitability
8.6remediation
7.7relevance
0.0threat
4.8urgency
2.9incentive
5.8Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.