Redirection for Contact Form 7 < 2.3.4 - Unprotected AJAX Actions

Vulnerability

The Redirection for Contact Form 7 WordPress plugin versions before 2.3.4 exposes multiple AJAX actions without proper capability checks. Any authenticated user, including subscribers, can perform actions such as resetting plugin settings via wpcf7r_reset_settings or adding new actions to forms via wpcf7r_add_action and similar endpoints [1]. The affected versions are all releases prior to 2.3.4.

Exploitation

An attacker needs only a valid WordPress user account with any role, including the lowest-privilege subscriber role. The attacker can directly call the unprotected AJAX endpoints by sending crafted requests, for example to wpcf7r_reset_settings or wpcf7r_add_action. No special authentication or user interaction beyond having a session cookie is required.

Impact

Successful exploitation allows the attacker to reset the plugin's configuration, delete existing redirection rules, and add arbitrary redirection actions to Contact Form 7 forms. This could lead to unintended data leaks or redirect users to malicious external sites, compromising the integrity and availability of the plugin's functionality [1].

Mitigation

The vulnerability is fixed in version 2.3.4 of the plugin. Users should update to this or a later version immediately. No workaround is provided for older versions [1]. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.