CVE-2024-1778: 
WordPress vulnerability analysis and mitigation

The Admin side data storage for Contact Form 7 plugin for WordPress contains a vulnerability (CVE-2024-1778) due to a missing capability check on the zt_dcfcf_change_bookmark() function in versions up to and including 1.1.1. The vulnerability was discovered and disclosed on February 23, 2024 (NVD).

The vulnerability stems from a missing authorization check in the plugin's functionality, specifically in the zt_dcfcf_change_bookmark() function. The issue has been assigned a CVSS v3.1 base score of 5.3 (Medium) by NVD with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, while Wordfence assessed it at 4.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The vulnerability is classified under CWE-862 (Missing Authorization) (NVD).

This vulnerability allows unauthenticated attackers to alter bookmark statuses in the WordPress installation. The impact is primarily focused on data modification capabilities, with no direct impact on confidentiality or system availability (NVD).

Users should update to a version newer than 1.1.1 of the Admin side data storage for Contact Form 7 plugin once available. The vulnerability was identified in the plugin's source code at the specified location (WordPress Plugin).