WordPress Plugin Vulnerabilities

Redirection for Contact Form 7 < 2.6.0 - Unauthenticated Options Update to Stored XSS

Description

The plugin could allow attackers to update arbitrary options, and perform XSS attacks when the AccessiBe add-on is also installed

Affects Plugins

Plugin icon
wpcf7-redirect
Fixed in 2.6.0

References

CVE
CVE-2021-36913

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
7.5 (high)

Miscellaneous

Original Researcher
John Castro aka mirphak
Verified
No
WPVDB ID
f42b2c72-50dd-4b76-84ad-8322c1a6e051

Timeline

Publicly Published
2022-09-29 (about 3 years ago)
Added
2022-10-11 (about 3 years ago)
Last Updated
2022-10-11 (about 3 years ago)

Other

Published
Title
Published
2025-12-23
Title
Share, Print and PDF Products for WooCommerce <= 3.1.2 - Missing Authorization
Published
2025-11-20
Title
Better Chat Support for Messenger < 1.2.19 - Missing Authorization
Published
2024-05-21
Title
ApplyOnline – Application Form Builder and Manager < 2.6.3 - Missing Authorization to Sensitive Information Exposure
Published
2026-02-18
Title
NM Gift Registry and Wishlist Lite < 5.14 - Missing Authorization
Published
2024-02-22
Title
Admin side data storage for Contact Form 7 <= 1.1.1 - Missing Authorization to Unauthenticated Bookmark Status Alteration