Redirection for Contact Form 7 < 2.3.4 - Authenticated PHP Object Injection
Description
Authenticated users can inject PHP objects via the import_from_debug AJAX action in Redirection for Contact Form 7 before 2.3.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated users can inject PHP objects via the import_from_debug AJAX action in Redirection for Contact Form 7 before 2.3.4.
Vulnerability
The Redirection for Contact Form 7 plugin before version 2.3.4 contains a PHP object injection vulnerability. The import_from_debug AJAX action is accessible to any authenticated user, including subscribers. The vulnerability arises because the plugin deserializes user-supplied input without proper validation, allowing injection of arbitrary PHP objects [1].
Exploitation
An attacker needs only an authenticated account with subscriber-level access or higher. By sending a crafted request to the import_from_debug AJAX action with a malicious serialized PHP object, the attacker can trigger deserialization. This can be done without any additional privileges or user interaction [1].
Impact
Successful exploitation allows an attacker to inject arbitrary PHP objects, potentially leading to remote code execution (RCE) or other malicious actions depending on the available gadgets. The impact is critical, as a low-privileged user can compromise the entire WordPress site [1].
Mitigation
The vulnerability is fixed in version 2.3.4 of the plugin. Users are strongly advised to update to this version immediately. No workarounds are documented. The plugin is actively maintained, and the fix was released on an undisclosed date but confirmed by the vendor [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <2.3.4
- Query Solutions/Redirection for Contact Form 7v5Range: 2.3.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `import_from_debug` AJAX action unserializes user-supplied input without validation, allowing PHP object injection."
Attack vector
An attacker who is authenticated as any user role (e.g., a subscriber) can send a crafted AJAX request to the `import_from_debug` action. The plugin unserializes attacker-supplied input without sanitization, enabling PHP object injection [CWE-502] [ref_id=1]. This can lead to arbitrary code execution or other server-side impacts depending on available gadget chains.
Affected code
The vulnerable AJAX action `import_from_debug` is exposed by the Redirection for Contact Form 7 plugin. The advisory does not specify the exact file or function name, but the action is registered in the plugin's code and is accessible to any authenticated user.
What the fix does
The advisory states the vulnerability is fixed in version 2.3.4 of the plugin [ref_id=1]. No patch diff is provided in the bundle, but the fix likely involves validating or sanitizing the input before unserialization, or removing the insecure AJAX action entirely. Users should update to version 2.3.4 or later.
Preconditions
- authThe attacker must be authenticated to the WordPress site (any role, including subscriber).
- configThe Redirection for Contact Form 7 plugin must be installed and active with a version before 2.3.4.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- wpscan.com/vulnerability/db4ba6b0-887e-4ec1-8935-ab21d369b329mitrex_refsource_CONFIRM
- www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.