Redirection for Contact Form 7 <= 2.4.0 - Unauthenticated Options Change and Content Injection vulnerability

Vulnerability

An unauthenticated options change and content injection vulnerability exists in the Redirection for Contact Form 7 (wpcf7-redirect) plugin for WordPress, affecting versions up to and including 2.4.0 [1]. When the optional third-party plugin AccessiBe is also installed, an attacker can exploit this flaw to modify arbitrary WordPress options and inject malicious scripts into the site's footer HTML [1]. The vulnerable code path is reachable without any authentication or user interaction, as long as both plugins are active [1].

Exploitation

An attacker needs no authentication or special network position; they can exploit this vulnerability remotely over HTTP [1]. By sending crafted requests to a WordPress site running the vulnerable wpcf7-redirect version (≤2.4.0) together with the AccessiBe plugin, the attacker can manipulate WordPress options and inject arbitrary scripts [1]. No user interaction or prior knowledge is required beyond the presence of the two plugins [1].

Impact

Successful exploitation allows an unauthenticated attacker to change arbitrary WordPress options, potentially altering site behavior or security settings, and inject arbitrary scripts into the site's footer HTML [1]. This can lead to content injection, cross-site scripting (XSS) attacks, or further compromise of the WordPress installation and its visitors [1]. The attacker gains the ability to modify site configuration and serve malicious content to users.

Mitigation

The Redirection for Contact Form 7 plugin has been updated to version 3.2.10, which likely addresses this vulnerability, though the specific fixed version is not explicitly referenced [1]. Users should immediately update to the latest version (at least 3.2.10) from the WordPress plugin repository [1]. As a workaround, disabling or removing the AccessiBe plugin may also mitigate the vulnerability until the plugin is updated [1].