CVE-2024-54254

Vulnerability

Overview The Message Filter for Contact Form 7 plugin (cf7-message-filter) for WordPress, version 1.6.3 and earlier, contains a missing authorization vulnerability (CWE-862: Missing Authorization) [1]. The root cause is that the plugin fails to properly check user permissions or nonce tokens in certain functions, leading to broken access control. This can allow unprivileged users to execute actions intended only for higher-privileged roles.

Exploitation

Attackers can exploit this vulnerability by sending crafted requests to the affected plugin endpoints, bypassing authorization checks. No authentication is required for exploitation in some cases, or a low-privileged user (such as a subscriber) can trigger the missing authorization functions [1]. The flaw is part of a class of vulnerabilities frequently used in mass-exploit campaigns targeting large numbers of WordPress sites.

Impact

Successful exploitation could allow an attacker to perform unauthorized actions, such as modifying messages, changing plugin settings, or escalating privileges. While the CVSS score is 6.3 (Medium), the actual risk depends on the specific missing authorization functions exposed [1]. The vulnerability is considered low severity in the original advisory but still warrants patching.

Mitigation

The issue has been addressed in version 1.6.3.1 of the plugin. Users are strongly advised to update immediately or enable automatic updates for vulnerable plugins via Patchstack [1]. No workaround is available. The plugin's vendor has released the fix, and no evidence of active exploitation in the wild has been reported at the time of publication.