WordPress Plugin Vulnerabilities

Redirection for Contact Form 7 < 3.0.0 - Missing Authorization

Description

The Redirection for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_current_filtered_view() function hooked via admin_init in versions up to, and including, 2.9.2. This makes it possible for unauthenticated attackers to export lead data.

Affects Plugins

Plugin icon
wpcf7-redirect
Fixed in 3.0.0

References

CVE
CVE-2023-39920
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9cf17c08-25b7-450d-acd9-963a1f79e495

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Nguyen Anh Tien
Verified
No
WPVDB ID
74ebe3ab-3af5-4bde-a943-2c97667a400a

Timeline

Publicly Published
2023-10-03 (about 2 years ago)
Added
2023-11-24 (about 2 years ago)
Last Updated
2024-01-02 (about 2 years ago)

Other

Published
Title
Published
2023-12-26
Title
All-in-one Floating Contact Form < 2.1.4 - Unauthenticated Unauthorised Action
Published
2025-12-25
Title
Testimonial Slider <= 2.0.15 - Missing Authorization
Published
2026-01-15
Title
NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar < 3.2.2 - Missing Authorization
Published
2024-06-21
Title
Optinly < 1.0.19 - Missing Authorization
Published
2026-03-17
Title
avalex – Automatisch sichere Rechtstexte < 3.1.4 - Missing Authorization