Redirection for Contact Form 7 < 2.3.4 - Unauthenticated Arbitrary Nonce Generation
Description
The Redirection for Contact Form 7 plugin up to 2.3.3 allows unauthenticated users to obtain valid nonces for any WordPress action via a public AJAX endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Redirection for Contact Form 7 plugin up to 2.3.3 allows unauthenticated users to obtain valid nonces for any WordPress action via a public AJAX endpoint.
Vulnerability
The Redirection for Contact Form 7 plugin (slug: wpcf7-redirect) versions before 2.3.4 exposes the wpcfr7_get_nonce AJAX action, which is registered for unauthenticated users. This action does not perform any permission checks before returning a valid nonce for any WordPress action or function specified in the request. The issue is classified as broken access control (CWE-284) [1].
Exploitation
An unauthenticated attacker can craft an HTTP request to the WordPress AJAX endpoint (typically /wp-admin/admin-ajax.php) with the action parameter set to wpcf7r_get_nonce and supply a wpcf7r_post_id parameter to identify a target action/function. No user interaction or authentication is required. The plugin returns a valid nonce that can then be used in subsequent requests to perform arbitrary actions on behalf of a privileged user [1].
Impact
Successful exploitation allows an attacker to obtain a valid nonce for any WordPress action or function. With this nonce, the attacker can execute arbitrary WordPress functions that normally require authentication, such as installing plugins, modifying settings, or creating administrative users. The vulnerability compromises the confidentiality, integrity, and availability of the affected WordPress site by enabling privilege escalation and arbitrary state changes [1].
Mitigation
The vulnerability is fixed in version 2.3.4 of the Redirection for Contact Form 7 plugin. All existing users must update to this version immediately. No workarounds are available for older versions. The plugin developer has released the patched version on the WordPress plugin repository [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <2.3.4
- Query Solutions/Redirection for Contact Form 7v5Range: 2.3.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing access control on the wpcf7r_get_nonce AJAX action allows unauthenticated users to retrieve a valid nonce for any WordPress action/function."
Attack vector
An unauthenticated attacker sends a request to the WordPress AJAX API with the action parameter set to `wpcf7r_get_nonce` and specifies a target WordPress action/function. The plugin returns a valid nonce for that action without performing any access control checks [ref_id=1]. This allows the attacker to obtain a legitimate nonce for any WordPress action or function, which can then be used to forge subsequent requests that would normally require authentication or a specific capability [CWE-284].
Affected code
The AJAX action `wpcf7r_get_nonce` in the Redirection for Contact Form 7 plugin (slug `wpcf7-redirect`) before version 2.3.4 is the vulnerable endpoint. The advisory does not specify the exact file or function name, but the action is registered to handle nonce generation requests.
What the fix does
The advisory states the vulnerability is fixed in version 2.3.4 of the plugin [ref_id=1]. No patch diff is provided in the bundle, but the remediation would involve adding proper permission checks (such as `current_user_can()`) to the `wpcf7r_get_nonce` AJAX handler so that only authenticated users with appropriate capabilities can request nonces, or restricting which actions nonces can be generated for.
Preconditions
- configThe Redirection for Contact Form 7 plugin must be installed and active with a version prior to 2.3.4.
- networkThe attacker must be able to send HTTP requests to the WordPress site's AJAX endpoint (typically /wp-admin/admin-ajax.php).
- authNo authentication is required; the attacker can be unauthenticated.
- inputThe attacker must specify a valid WordPress action/function name for which to retrieve a nonce.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- wpscan.com/vulnerability/99f30604-d62b-4e30-afcd-b482f8d66413mitrex_refsource_CONFIRM
- www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.