CVE-2024-3520: CWE-862 Missing Authorization in trustyplugins Country State City Dropdown CF7
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tc_csca_patch_settings function in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with subscriber access and above, to add states or cities to the dropdown.
AI Analysis
Technical Summary
CVE-2024-3520 is a missing authorization vulnerability (CWE-862) in the Country State City Dropdown CF7 WordPress plugin by trustyplugins. The issue arises from the absence of a capability check in the tc_csca_patch_settings function, allowing authenticated users with subscriber privileges or above to add unauthorized entries to the dropdown lists of states or cities. This vulnerability affects all plugin versions up to and including 2.7.1. The CVSS 3.1 base score is 4.3 (medium), reflecting low complexity and limited impact confined to integrity modification without confidentiality or availability impact. There is no indication of known exploits in the wild or an official patch at this time.
Potential Impact
Authenticated users with subscriber-level access or higher can modify the plugin's dropdown data by adding states or cities, potentially leading to unauthorized data changes. There is no impact on confidentiality or availability. The integrity of the dropdown data is compromised, which could affect application behavior relying on this data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict user roles to minimize exposure and monitor for unauthorized changes to dropdown data. Avoid granting subscriber or higher privileges to untrusted users. Follow updates from trustyplugins for patch availability.
CVE-2024-3520: CWE-862 Missing Authorization in trustyplugins Country State City Dropdown CF7
Description
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tc_csca_patch_settings function in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with subscriber access and above, to add states or cities to the dropdown.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-3520 is a missing authorization vulnerability (CWE-862) in the Country State City Dropdown CF7 WordPress plugin by trustyplugins. The issue arises from the absence of a capability check in the tc_csca_patch_settings function, allowing authenticated users with subscriber privileges or above to add unauthorized entries to the dropdown lists of states or cities. This vulnerability affects all plugin versions up to and including 2.7.1. The CVSS 3.1 base score is 4.3 (medium), reflecting low complexity and limited impact confined to integrity modification without confidentiality or availability impact. There is no indication of known exploits in the wild or an official patch at this time.
Potential Impact
Authenticated users with subscriber-level access or higher can modify the plugin's dropdown data by adding states or cities, potentially leading to unauthorized data changes. There is no impact on confidentiality or availability. The integrity of the dropdown data is compromised, which could affect application behavior relying on this data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict user roles to minimize exposure and monitor for unauthorized changes to dropdown data. Avoid granting subscriber or higher privileges to untrusted users. Follow updates from trustyplugins for patch availability.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-04-09T16:17:04.416Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6c93b7ef31ef0b5666f8
Added to database: 2/25/2026, 9:41:39 PM
Last enriched: 4/9/2026, 7:58:16 PM
Last updated: 4/12/2026, 6:09:22 AM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.