Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Post Deletion

Vulnerability

In the Redirection for Contact Form 7 WordPress plugin before version 2.3.4, the delete_action_post AJAX action fails to properly authorize the request. Any authenticated user, including subscribers, can exploit this missing capability check to delete any post on the site. The vulnerable code path is reachable by any logged-in user without requiring any special configuration [1].

Exploitation

An attacker needs only a valid WordPress user account, such as a subscriber, and knowledge of the target post ID. The attacker crafts a request to the delete_action_post AJAX endpoint, passing the desired post ID. The plugin does not verify that the current user has edit or delete capabilities on that post, allowing the deletion to proceed. No additional privileges or user interaction are required [1].

Impact

Successful exploitation allows the attacker to delete any post on the WordPress site, including published pages, posts, and custom post types. This results in significant data loss and can disrupt site content and functionality. The attacker gains the ability to arbitrarily remove content without authorization [1].

Mitigation

The vulnerability is fixed in version 2.3.4 of the Redirection for Contact Form 7 plugin. Users should update to this version or later immediately. No other workarounds are mentioned in the available references [1].