WordPress Plugin Vulnerabilities

Redirection for Contact Form 7 < 2.3.4 - Authenticated PHP Object Injection

Description

In the plugin, any authenticated user, such as a subscriber, could use the import_from_debug AJAX action to inject PHP objects.

Proof of Concept

Affects Plugins

Plugin icon
wpcf7-redirect
Fixed in 2.3.4

References

CVE
CVE-2021-24280
URL
https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Chloe Chamberland
Submitter
Chloe
Submitter website
https://wordfence.com
Submitter twitter
infosecchloe
Verified
Yes
WPVDB ID
db4ba6b0-887e-4ec1-8935-ab21d369b329

Timeline

Publicly Published
2021-04-20 (about 4 years ago)
Added
2021-04-20 (about 4 years ago)
Last Updated
2021-04-21 (about 4 years ago)

Other

Published
Title
Published
2025-08-09
Title
Gravity Forms Insightly <= 1.1.6 - Unauthenticated PHP Object Injection
Published
2017-10-02
Title
RegistrationMagic-Custom Registration Forms <= 3.7.9.2 - Unauthenticated PHP Object Injection
Published
2024-06-12
Title
CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More < 4.5 - Unauthenticated PHP Object Injection
Published
2025-07-31
Title
Store Locator < 2.2.261 - Authenticated (Contributor+) PHP Object Injection
Published
2024-10-28
Title
DS.DownloadList <= 1.3 - Unauthenticated PHP Object Injection