CVE-2021-24278
published 2021-05-14CVE-2021-24278: In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce…
PriorityP276high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
7.36%
93.6th percentile
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| query_solutions | redirection_for_contact_form_7 | >= 2.3.4 < 2.3.4 | 2.3.4 |
| querysol | redirection_for_contact_form_7 | < 2.3.4 | 2.3.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the body parameter 'action=wpcf7r_get_nonce'. Unauthenticated requests containing this action indicate active exploitation. ↗
- →A successful exploitation response will contain both '"success":true' and a nonce value matching the pattern '"nonce":"[a-f0-9]+"' in the HTTP response body. ↗
- →The Content-Type header for the exploit request is 'application/x-www-form-urlencoded'. Monitor for unauthenticated POST requests to admin-ajax.php with this content type and the wpcf7r_get_nonce action. ↗
- ·The vulnerability affects only the Redirection for Contact Form 7 WordPress plugin versions before 2.3.4. Sites running version 2.3.4 or later are not affected. ↗
- ·The 'param' field in the POST body (e.g., 'param=wp_rest') controls which WordPress nonce is generated. Attackers can substitute any valid WordPress action/function name to obtain a nonce for it. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8xwc-4w4g-wpqp: In the Redirection for Contact Form 7 WordPress plugin before 2
ghsa_unreviewed·2022-05-24
CVE-2021-24278 [HIGH] CWE-863 GHSA-8xwc-4w4g-wpqp: In the Redirection for Contact Form 7 WordPress plugin before 2
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function.
VulnCheck
querysol redirection_for_contact_form_7 Incorrect Authorization
vulncheck·2021·CVSS 7.5
CVE-2021-24278 [HIGH] querysol redirection_for_contact_form_7 Incorrect Authorization
querysol redirection_for_contact_form_7 Incorrect Authorization
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function.
Affected: querysol redirection_for_contact_form_7
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpcf7-redirect/redirection-for-contact-form-7-233-unauthenticated-arbitrary-nonce-generation
No detection rules found.
Nuclei
WordPress Contact Form 7 <2.3.4 - Arbitrary Nonce Generation
nuclei·CVSS 7.5
CVE-2021-24278 [HIGH] WordPress Contact Form 7 <2.3.4 - Arbitrary Nonce Generation
WordPress Contact Form 7 <2.3.4 - Arbitrary Nonce Generation
WordPress Contact Form 7 before version 2.3.4 allows unauthenticated users to use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function.
Template:
id: CVE-2021-24278
info:
name: WordPress Contact Form 7 <2.3.4 - Arbitrary Nonce Generation
author: 2rs3c
severity: high
description: WordPress Contact Form 7 before version 2.3.4 allows unauthenticated users to use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function.
impact: |
Attackers can exploit this vulnerability to perform actions on behalf of authenticated users, leading to potential data breaches or unauthorized access.
remediation: |
Update WordPress Contact Form 7 plugin to version 2.3.4 or la
https://wpscan.com/vulnerability/99f30604-d62b-4e30-afcd-b482f8d66413https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/https://wpscan.com/vulnerability/99f30604-d62b-4e30-afcd-b482f8d66413https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/
2021-05-14
Published
Exploited in the wild