cbcvebase.
CVE-2021-24278
published 2021-05-14

CVE-2021-24278: In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce…

PriorityP276high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
7.36%
93.6th percentile
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function.

Affected

2 ranges
VendorProductVersion rangeFixed in
query_solutionsredirection_for_contact_form_7>= 2.3.4 < 2.3.42.3.4
querysolredirection_for_contact_form_7< 2.3.42.3.4

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
otherwpcf7r_get_nonce
  • Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the body parameter 'action=wpcf7r_get_nonce'. Unauthenticated requests containing this action indicate active exploitation.
  • A successful exploitation response will contain both '"success":true' and a nonce value matching the pattern '"nonce":"[a-f0-9]+"' in the HTTP response body.
  • The Content-Type header for the exploit request is 'application/x-www-form-urlencoded'. Monitor for unauthenticated POST requests to admin-ajax.php with this content type and the wpcf7r_get_nonce action.
  • ·The vulnerability affects only the Redirection for Contact Form 7 WordPress plugin versions before 2.3.4. Sites running version 2.3.4 or later are not affected.
  • ·The 'param' field in the POST body (e.g., 'param=wp_rest') controls which WordPress nonce is generated. Attackers can substitute any valid WordPress action/function name to obtain a nonce for it.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.