Redirection for Contact Form 7 < 2.5.0 - Reflected Cross-Site Scripting

Vulnerability

The Redirection for Contact Form 7 WordPress plugin versions before 2.5.0 contain a reflected cross-site scripting (XSS) vulnerability. The plugin fails to escape a generated link before outputting it in an HTML attribute, allowing an attacker to inject arbitrary JavaScript code. The vulnerable code path is reachable when the plugin processes a redirect URL parameter without proper sanitization [1].

Exploitation

An attacker can craft a malicious URL containing a specially crafted link parameter that includes JavaScript payloads. The attacker must trick a logged-in user (e.g., an administrator) into clicking the crafted link. No authentication is required to trigger the vulnerability, but user interaction is necessary. The injected script executes in the context of the victim's browser session [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, cookie theft, defacement, or redirection to malicious sites. The attack is reflected, meaning the payload is not stored on the server but delivered via the crafted link [1].

Mitigation

The vulnerability is fixed in version 2.5.0 of the plugin. Users should update to this version or later immediately. No workarounds are documented. The plugin is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].