Description
The Custom Contact Forms plugin for WordPress contains a critical authentication bypass vulnerability that allows unauthenticated remote attackers to access and manipulate the WordPress database. This flaw enables attackers to bypass all authentication mechanisms and perform unauthorized database operations without requiring any administrative credentials or user privileges.
Remediation
Immediately upgrade the Custom Contact Forms plugin to version 5.1.0.4 or later, which addresses this vulnerability. To update:
1. Navigate to the WordPress admin dashboard
2. Go to Plugins > Installed Plugins
3. Locate Custom Contact Forms and click 'Update Now'
4. Verify the plugin version is 5.1.0.4 or higher after update
If immediate patching is not possible, temporarily deactivate the Custom Contact Forms plugin until the update can be applied. After updating, review database access logs for any suspicious activity and consider rotating all user passwords and authentication tokens as a precautionary measure.
References
Related Vulnerabilities
WordPress Plugin WP Header Images Cross-Site Scripting (2.0.0)
MediaWiki Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2013-4569)
WordPress Plugin WP Google Maps Multiple Cross-Site Scripting Vulnerabilities (6.0.26)
WordPress Plugin DW Question & Answer Security Bypass (1.2.9)