Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Plugin Installation
Description
Subscriber-level users can install arbitrary plugins via the import_from_debug AJAX action in Redirection for Contact Form 7 before 2.3.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Subscriber-level users can install arbitrary plugins via the import_from_debug AJAX action in Redirection for Contact Form 7 before 2.3.4.
Vulnerability
The Redirection for Contact Form 7 plugin for WordPress versions before 2.3.4 lacks proper access control on the import_from_debug AJAX action [1]. This allows any authenticated user, including those with subscriber-level privileges, to trigger the action and install any plugin from the WordPress plugin repository. The vulnerability is classified as CWE-284 (Improper Access Control).
Exploitation
An attacker needs only a valid WordPress user account with subscriber role or higher. No additional privileges are required. The attacker can send a crafted AJAX request to the import_from_debug action, specifying the plugin slug to install. The plugin will be downloaded and installed from the official WordPress repository. No user interaction beyond the attacker's own actions is needed.
Impact
Successful exploitation allows an attacker to install arbitrary plugins from the WordPress repository. This can lead to further compromise, such as installing a plugin with known vulnerabilities or a plugin that provides remote code execution, backdoor access, or privilege escalation. The attacker gains the ability to execute code on the server if the installed plugin contains malicious functionality.
Mitigation
The vulnerability is fixed in version 2.3.4 of the plugin [1]. Users should update to this version immediately. No workaround is available. The plugin is actively maintained, and the fix was released on April 20, 2021. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <2.3.4
- Query Solutions/Redirection for Contact Form 7v5Range: 2.3.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing capability check on the `import_from_debug` AJAX action allows any authenticated user to install arbitrary plugins."
Attack vector
An attacker who is authenticated as a low-level user (e.g., Subscriber) sends a crafted AJAX request to the `import_from_debug` action [ref_id=1]. The request can specify any plugin slug from the WordPress.org repository, and the plugin will install that plugin without checking the user's capabilities [ref_id=1]. This allows privilege escalation because the attacker can install a plugin that provides additional capabilities or backdoor access [CWE-284].
Affected code
The AJAX action `import_from_debug` in the Redirection for Contact Form 7 plugin (slug: `wpcf7-redirect`) lacks proper authorization checks, allowing low-privileged users to invoke it [ref_id=1]. The plugin does not verify that the requesting user has the `install_plugins` capability before processing the AJAX request.
What the fix does
The advisory states the vulnerability is fixed in version 2.3.4 of the plugin [ref_id=1]. No patch diff is provided in the bundle, but the fix would involve adding a capability check (e.g., `current_user_can('install_plugins')`) to the `import_from_debug` AJAX handler to ensure only administrators can trigger plugin installation. The vendor also likely added a nonce check to prevent cross-site request forgery.
Preconditions
- authAttacker must have a valid WordPress user account with at least Subscriber role
- configThe Redirection for Contact Form 7 plugin must be installed and active with a version prior to 2.3.4
- networkAttacker must be able to send AJAX requests to the WordPress admin-ajax.php endpoint
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- wpscan.com/vulnerability/75f7690d-7f6b-48a8-a9d1-95578a657920mitrex_refsource_CONFIRM
- www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.