CVE-2024-34826
published 2024-06-11CVE-2024-34826: Missing Authorization vulnerability in Saleswonder Team: Tobias CF7 WOW Styler cf7-styler.This issue affects CF7 WOW Styler: from n/a through <= 1.6.4.
PriorityP279medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.33%
24.4th percentile
Missing Authorization vulnerability in Saleswonder Team: Tobias CF7 WOW Styler cf7-styler.This issue affects CF7 WOW Styler: from n/a through <= 1.6.4.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rack | rack | >= 0 < 2.2.23 | 2.2.23 |
| rack | rack | >= 3.0.0.beta1 < 3.1.21 | 3.1.21 |
| rack | rack | >= 3.2.0 < 3.2.6 | 3.2.6 |
| saleswonder_team_tobias | cf7_wow_styler | <= 1.6.4 | — |
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
ghsa7.5HIGH
vendor_redhat5.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Rack's multipart byte range processing allows denial of service via excessive overlapping ranges
ghsa·2026-04-02·CVSS 7.5
CVE-2026-34826 [MEDIUM] CWE-400 Rack's multipart byte range processing allows denial of service via excessive overlapping ranges
Rack's multipart byte range processing allows denial of service via excessive overlapping ranges
## Summary
`Rack::Utils.get_byte_ranges` parses the HTTP `Range` header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the file size, it does not restrict the count of ranges. An attacker can supply many small overlapping ranges such as `0-0,0-0,0-0,...` to trigger disproportionate CPU, memory, I/O, and bandwidth consumption per request.
This results in a denial of service condition in Rack file-serving paths that process multipart byte range responses.
## Details
`Rack::Utils.get_byte_ranges` accepts a comma-separated list of byte ranges and validates them based on their aggregate size, b
GHSA
GHSA-7223-6cmw-xwrj: Missing Authorization vulnerability in Tobias Conrad Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler
ghsa_unreviewed·2024-06-11
CVE-2024-34826 [MEDIUM] CWE-862 GHSA-7223-6cmw-xwrj: Missing Authorization vulnerability in Tobias Conrad Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler
Missing Authorization vulnerability in Tobias Conrad Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler.This issue affects Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler: from n/a through 1.6.4.
VulnCheck
Missing Authorization
vulncheck·2024
CVE-2024-34826 Missing Authorization
Missing Authorization
Missing Authorization vulnerability in Saleswonder Team: Tobias CF7 WOW Styler cf7-styler.This issue affects CF7 WOW Styler: from n/a through <= 1.6.4.
Affected: Tobias Conrad Design for Contact Form 7 Style WordPress Plugin
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/wordpress/plugin/cf7-styler/vulnerability/wordpress-cf7-wow-styler-plugin-1-6-4-broken-access-control-vulnerability
Red Hat
rack: Rack: Denial of Service via malicious HTTP Range header
vendor_redhat·2026-04-02·CVSS 5.8
CVE-2026-34826 [MEDIUM] CWE-770 rack: Rack: Denial of Service via malicious HTTP Range header
rack: Rack: Denial of Service via malicious HTTP Range header
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the file size, it does not restrict the count of ranges. An attacker can supply many small overlapping ranges such as 0-0,0-0,0-0,... to trigger disproportionate CPU, memory, I/O, and bandwidth consumption per request. This results in a denial of service condition in Rack file-serving paths that process multipart byte range responses. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
A flaw was found in Rack. A remote a
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-06-11
Published
Exploited in the wild