CVE-2023-6630: 
WordPress vulnerability analysis and mitigation

The Contact Form 7 – Dynamic Text Extension plugin for WordPress (CVE-2023-6630) contains an Insecure Direct Object Reference vulnerability affecting all versions up to and including 4.1.0. The vulnerability was discovered and disclosed on January 11, 2024, impacting the CF7_get_custom_field and CF7_get_current_user shortcodes functionality (NVD).

The vulnerability stems from missing validation on a user-controlled key in the CF7_get_custom_field and CF7_get_current_user shortcodes. The issue has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The weakness has been classified as CWE-639 (Authorization Bypass Through User-Controlled Key) (NVD).

The vulnerability allows authenticated attackers with contributor access or higher to access arbitrary metadata of any post type by referencing the post by ID and the meta by key. This could lead to unauthorized access to sensitive information stored in post metadata (NVD).

A patch has been released to address this vulnerability. Users are advised to update their Contact Form 7 – Dynamic Text Extension plugin to a version newer than 4.1.0 (WordPress Patch).