Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
10 vulnerabilities found for Redirection for Contact Form 7 by Query Solutions
CVE-2021-24280 (GCVE-0-2021-24280)
Vulnerability from cvelistv5 – Published: 2021-05-14 11:38 – Updated: 2024-08-03 19:28
VLAI
Title
Redirection for Contact Form 7 < 2.3.4 - Authenticated PHP Object Injection
Summary
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the import_from_debug AJAX action to inject PHP objects.
Severity
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.wordfence.com/blog/2021/04/severe-vul… | x_refsource_MISC |
| https://wpscan.com/vulnerability/db4ba6b0-887e-4e… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Query Solutions | Redirection for Contact Form 7 |
Affected:
2.3.4 , < 2.3.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:23.438Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/db4ba6b0-887e-4ec1-8935-ab21d369b329"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Redirection for Contact Form 7",
"vendor": "Query Solutions",
"versions": [
{
"lessThan": "2.3.4",
"status": "affected",
"version": "2.3.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Chloe Chamberland"
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the import_from_debug AJAX action to inject PHP objects."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-14T11:38:17.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/db4ba6b0-887e-4ec1-8935-ab21d369b329"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Redirection for Contact Form 7 \u003c 2.3.4 - Authenticated PHP Object Injection",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24280",
"STATE": "PUBLIC",
"TITLE": "Redirection for Contact Form 7 \u003c 2.3.4 - Authenticated PHP Object Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Redirection for Contact Form 7",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.3.4",
"version_value": "2.3.4"
}
]
}
}
]
},
"vendor_name": "Query Solutions"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Chloe Chamberland"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the import_from_debug AJAX action to inject PHP objects."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502 Deserialization of Untrusted Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/",
"refsource": "MISC",
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
},
{
"name": "https://wpscan.com/vulnerability/db4ba6b0-887e-4ec1-8935-ab21d369b329",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/db4ba6b0-887e-4ec1-8935-ab21d369b329"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24280",
"datePublished": "2021-05-14T11:38:17.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:28:23.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24279 (GCVE-0-2021-24279)
Vulnerability from cvelistv5 – Published: 2021-05-14 11:38 – Updated: 2024-08-03 19:28
VLAI
Title
Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Plugin Installation
Summary
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, low level users, such as subscribers, could use the import_from_debug AJAX action to install any plugin from the WordPress repository.
Severity
No CVSS data available.
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.wordfence.com/blog/2021/04/severe-vul… | x_refsource_MISC |
| https://wpscan.com/vulnerability/75f7690d-7f6b-48… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Query Solutions | Redirection for Contact Form 7 |
Affected:
2.3.4 , < 2.3.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:22.645Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/75f7690d-7f6b-48a8-a9d1-95578a657920"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Redirection for Contact Form 7",
"vendor": "Query Solutions",
"versions": [
{
"lessThan": "2.3.4",
"status": "affected",
"version": "2.3.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Chloe Chamberland"
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, low level users, such as subscribers, could use the import_from_debug AJAX action to install any plugin from the WordPress repository."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-14T11:38:17.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/75f7690d-7f6b-48a8-a9d1-95578a657920"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Redirection for Contact Form 7 \u003c 2.3.4 - Authenticated Arbitrary Plugin Installation",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24279",
"STATE": "PUBLIC",
"TITLE": "Redirection for Contact Form 7 \u003c 2.3.4 - Authenticated Arbitrary Plugin Installation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Redirection for Contact Form 7",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.3.4",
"version_value": "2.3.4"
}
]
}
}
]
},
"vendor_name": "Query Solutions"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Chloe Chamberland"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, low level users, such as subscribers, could use the import_from_debug AJAX action to install any plugin from the WordPress repository."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863 Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/",
"refsource": "MISC",
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
},
{
"name": "https://wpscan.com/vulnerability/75f7690d-7f6b-48a8-a9d1-95578a657920",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/75f7690d-7f6b-48a8-a9d1-95578a657920"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24279",
"datePublished": "2021-05-14T11:38:17.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:28:22.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24281 (GCVE-0-2021-24281)
Vulnerability from cvelistv5 – Published: 2021-05-14 11:38 – Updated: 2024-08-03 19:28
VLAI
Title
Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Post Deletion
Summary
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the delete_action_post AJAX action to delete any post on a target site.
Severity
No CVSS data available.
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.wordfence.com/blog/2021/04/severe-vul… | x_refsource_MISC |
| https://wpscan.com/vulnerability/daf12b85-f5ad-42… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Query Solutions | Redirection for Contact Form 7 |
Affected:
2.3.4 , < 2.3.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:22.730Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/daf12b85-f5ad-4261-ab39-be6840ad3cdc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Redirection for Contact Form 7",
"vendor": "Query Solutions",
"versions": [
{
"lessThan": "2.3.4",
"status": "affected",
"version": "2.3.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Chloe Chamberland"
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the delete_action_post AJAX action to delete any post on a target site."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-14T11:38:17.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/daf12b85-f5ad-4261-ab39-be6840ad3cdc"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Redirection for Contact Form 7 \u003c 2.3.4 - Authenticated Arbitrary Post Deletion",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24281",
"STATE": "PUBLIC",
"TITLE": "Redirection for Contact Form 7 \u003c 2.3.4 - Authenticated Arbitrary Post Deletion"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Redirection for Contact Form 7",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.3.4",
"version_value": "2.3.4"
}
]
}
}
]
},
"vendor_name": "Query Solutions"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Chloe Chamberland"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the delete_action_post AJAX action to delete any post on a target site."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863 Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/",
"refsource": "MISC",
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
},
{
"name": "https://wpscan.com/vulnerability/daf12b85-f5ad-4261-ab39-be6840ad3cdc",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/daf12b85-f5ad-4261-ab39-be6840ad3cdc"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24281",
"datePublished": "2021-05-14T11:38:17.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:28:22.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24278 (GCVE-0-2021-24278)
Vulnerability from cvelistv5 – Published: 2021-05-14 11:38 – Updated: 2024-08-03 19:28
VLAI
Title
Redirection for Contact Form 7 < 2.3.4 - Unauthenticated Arbitrary Nonce Generation
Summary
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function.
Severity
No CVSS data available.
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/99f30604-d62b-4e… | x_refsource_CONFIRM |
| https://www.wordfence.com/blog/2021/04/severe-vul… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Query Solutions | Redirection for Contact Form 7 |
Affected:
2.3.4 , < 2.3.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:23.300Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/99f30604-d62b-4e30-afcd-b482f8d66413"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Redirection for Contact Form 7",
"vendor": "Query Solutions",
"versions": [
{
"lessThan": "2.3.4",
"status": "affected",
"version": "2.3.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Chloe Chamberland"
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-14T11:38:17.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/99f30604-d62b-4e30-afcd-b482f8d66413"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Redirection for Contact Form 7 \u003c 2.3.4 - Unauthenticated Arbitrary Nonce Generation",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24278",
"STATE": "PUBLIC",
"TITLE": "Redirection for Contact Form 7 \u003c 2.3.4 - Unauthenticated Arbitrary Nonce Generation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Redirection for Contact Form 7",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.3.4",
"version_value": "2.3.4"
}
]
}
}
]
},
"vendor_name": "Query Solutions"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Chloe Chamberland"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863 Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/99f30604-d62b-4e30-afcd-b482f8d66413",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/99f30604-d62b-4e30-afcd-b482f8d66413"
},
{
"name": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/",
"refsource": "MISC",
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24278",
"datePublished": "2021-05-14T11:38:17.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:28:23.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24282 (GCVE-0-2021-24282)
Vulnerability from cvelistv5 – Published: 2021-05-14 11:38 – Updated: 2024-08-03 19:28
VLAI
Title
Redirection for Contact Form 7 < 2.3.4 - Unprotected AJAX Actions
Summary
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the various AJAX actions in the plugin to do a variety of things. For example, an attacker could use wpcf7r_reset_settings to reset the plugin’s settings, wpcf7r_add_action to add actions to a form, and more.
Severity
No CVSS data available.
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.wordfence.com/blog/2021/04/severe-vul… | x_refsource_MISC |
| https://wpscan.com/vulnerability/def87e69-bade-43… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Query Solutions | Redirection for Contact Form 7 |
Affected:
2.3.4 , < 2.3.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:22.813Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/def87e69-bade-431b-b101-d463a26406e9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Redirection for Contact Form 7",
"vendor": "Query Solutions",
"versions": [
{
"lessThan": "2.3.4",
"status": "affected",
"version": "2.3.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Chloe Chamberland"
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the various AJAX actions in the plugin to do a variety of things. For example, an attacker could use wpcf7r_reset_settings to reset the plugin\u2019s settings, wpcf7r_add_action to add actions to a form, and more."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-14T11:38:17.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/def87e69-bade-431b-b101-d463a26406e9"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Redirection for Contact Form 7 \u003c 2.3.4 - Unprotected AJAX Actions",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24282",
"STATE": "PUBLIC",
"TITLE": "Redirection for Contact Form 7 \u003c 2.3.4 - Unprotected AJAX Actions"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Redirection for Contact Form 7",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.3.4",
"version_value": "2.3.4"
}
]
}
}
]
},
"vendor_name": "Query Solutions"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Chloe Chamberland"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the various AJAX actions in the plugin to do a variety of things. For example, an attacker could use wpcf7r_reset_settings to reset the plugin\u2019s settings, wpcf7r_add_action to add actions to a form, and more."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863 Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/",
"refsource": "MISC",
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
},
{
"name": "https://wpscan.com/vulnerability/def87e69-bade-431b-b101-d463a26406e9",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/def87e69-bade-431b-b101-d463a26406e9"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24282",
"datePublished": "2021-05-14T11:38:17.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:28:22.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24280 (GCVE-0-2021-24280)
Vulnerability from nvd – Published: 2021-05-14 11:38 – Updated: 2024-08-03 19:28
VLAI
Title
Redirection for Contact Form 7 < 2.3.4 - Authenticated PHP Object Injection
Summary
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the import_from_debug AJAX action to inject PHP objects.
Severity
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.wordfence.com/blog/2021/04/severe-vul… | x_refsource_MISC |
| https://wpscan.com/vulnerability/db4ba6b0-887e-4e… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Query Solutions | Redirection for Contact Form 7 |
Affected:
2.3.4 , < 2.3.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:23.438Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/db4ba6b0-887e-4ec1-8935-ab21d369b329"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Redirection for Contact Form 7",
"vendor": "Query Solutions",
"versions": [
{
"lessThan": "2.3.4",
"status": "affected",
"version": "2.3.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Chloe Chamberland"
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the import_from_debug AJAX action to inject PHP objects."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-14T11:38:17.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/db4ba6b0-887e-4ec1-8935-ab21d369b329"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Redirection for Contact Form 7 \u003c 2.3.4 - Authenticated PHP Object Injection",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24280",
"STATE": "PUBLIC",
"TITLE": "Redirection for Contact Form 7 \u003c 2.3.4 - Authenticated PHP Object Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Redirection for Contact Form 7",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.3.4",
"version_value": "2.3.4"
}
]
}
}
]
},
"vendor_name": "Query Solutions"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Chloe Chamberland"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the import_from_debug AJAX action to inject PHP objects."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502 Deserialization of Untrusted Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/",
"refsource": "MISC",
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
},
{
"name": "https://wpscan.com/vulnerability/db4ba6b0-887e-4ec1-8935-ab21d369b329",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/db4ba6b0-887e-4ec1-8935-ab21d369b329"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24280",
"datePublished": "2021-05-14T11:38:17.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:28:23.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24279 (GCVE-0-2021-24279)
Vulnerability from nvd – Published: 2021-05-14 11:38 – Updated: 2024-08-03 19:28
VLAI
Title
Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Plugin Installation
Summary
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, low level users, such as subscribers, could use the import_from_debug AJAX action to install any plugin from the WordPress repository.
Severity
No CVSS data available.
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.wordfence.com/blog/2021/04/severe-vul… | x_refsource_MISC |
| https://wpscan.com/vulnerability/75f7690d-7f6b-48… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Query Solutions | Redirection for Contact Form 7 |
Affected:
2.3.4 , < 2.3.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:22.645Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/75f7690d-7f6b-48a8-a9d1-95578a657920"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Redirection for Contact Form 7",
"vendor": "Query Solutions",
"versions": [
{
"lessThan": "2.3.4",
"status": "affected",
"version": "2.3.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Chloe Chamberland"
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, low level users, such as subscribers, could use the import_from_debug AJAX action to install any plugin from the WordPress repository."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-14T11:38:17.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/75f7690d-7f6b-48a8-a9d1-95578a657920"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Redirection for Contact Form 7 \u003c 2.3.4 - Authenticated Arbitrary Plugin Installation",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24279",
"STATE": "PUBLIC",
"TITLE": "Redirection for Contact Form 7 \u003c 2.3.4 - Authenticated Arbitrary Plugin Installation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Redirection for Contact Form 7",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.3.4",
"version_value": "2.3.4"
}
]
}
}
]
},
"vendor_name": "Query Solutions"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Chloe Chamberland"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, low level users, such as subscribers, could use the import_from_debug AJAX action to install any plugin from the WordPress repository."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863 Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/",
"refsource": "MISC",
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
},
{
"name": "https://wpscan.com/vulnerability/75f7690d-7f6b-48a8-a9d1-95578a657920",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/75f7690d-7f6b-48a8-a9d1-95578a657920"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24279",
"datePublished": "2021-05-14T11:38:17.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:28:22.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24281 (GCVE-0-2021-24281)
Vulnerability from nvd – Published: 2021-05-14 11:38 – Updated: 2024-08-03 19:28
VLAI
Title
Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Post Deletion
Summary
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the delete_action_post AJAX action to delete any post on a target site.
Severity
No CVSS data available.
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.wordfence.com/blog/2021/04/severe-vul… | x_refsource_MISC |
| https://wpscan.com/vulnerability/daf12b85-f5ad-42… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Query Solutions | Redirection for Contact Form 7 |
Affected:
2.3.4 , < 2.3.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:22.730Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/daf12b85-f5ad-4261-ab39-be6840ad3cdc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Redirection for Contact Form 7",
"vendor": "Query Solutions",
"versions": [
{
"lessThan": "2.3.4",
"status": "affected",
"version": "2.3.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Chloe Chamberland"
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the delete_action_post AJAX action to delete any post on a target site."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-14T11:38:17.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/daf12b85-f5ad-4261-ab39-be6840ad3cdc"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Redirection for Contact Form 7 \u003c 2.3.4 - Authenticated Arbitrary Post Deletion",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24281",
"STATE": "PUBLIC",
"TITLE": "Redirection for Contact Form 7 \u003c 2.3.4 - Authenticated Arbitrary Post Deletion"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Redirection for Contact Form 7",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.3.4",
"version_value": "2.3.4"
}
]
}
}
]
},
"vendor_name": "Query Solutions"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Chloe Chamberland"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the delete_action_post AJAX action to delete any post on a target site."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863 Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/",
"refsource": "MISC",
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
},
{
"name": "https://wpscan.com/vulnerability/daf12b85-f5ad-4261-ab39-be6840ad3cdc",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/daf12b85-f5ad-4261-ab39-be6840ad3cdc"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24281",
"datePublished": "2021-05-14T11:38:17.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:28:22.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24278 (GCVE-0-2021-24278)
Vulnerability from nvd – Published: 2021-05-14 11:38 – Updated: 2024-08-03 19:28
VLAI
Title
Redirection for Contact Form 7 < 2.3.4 - Unauthenticated Arbitrary Nonce Generation
Summary
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function.
Severity
No CVSS data available.
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/99f30604-d62b-4e… | x_refsource_CONFIRM |
| https://www.wordfence.com/blog/2021/04/severe-vul… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Query Solutions | Redirection for Contact Form 7 |
Affected:
2.3.4 , < 2.3.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:23.300Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/99f30604-d62b-4e30-afcd-b482f8d66413"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Redirection for Contact Form 7",
"vendor": "Query Solutions",
"versions": [
{
"lessThan": "2.3.4",
"status": "affected",
"version": "2.3.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Chloe Chamberland"
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-14T11:38:17.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/99f30604-d62b-4e30-afcd-b482f8d66413"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Redirection for Contact Form 7 \u003c 2.3.4 - Unauthenticated Arbitrary Nonce Generation",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24278",
"STATE": "PUBLIC",
"TITLE": "Redirection for Contact Form 7 \u003c 2.3.4 - Unauthenticated Arbitrary Nonce Generation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Redirection for Contact Form 7",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.3.4",
"version_value": "2.3.4"
}
]
}
}
]
},
"vendor_name": "Query Solutions"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Chloe Chamberland"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863 Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/99f30604-d62b-4e30-afcd-b482f8d66413",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/99f30604-d62b-4e30-afcd-b482f8d66413"
},
{
"name": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/",
"refsource": "MISC",
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24278",
"datePublished": "2021-05-14T11:38:17.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:28:23.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24282 (GCVE-0-2021-24282)
Vulnerability from nvd – Published: 2021-05-14 11:38 – Updated: 2024-08-03 19:28
VLAI
Title
Redirection for Contact Form 7 < 2.3.4 - Unprotected AJAX Actions
Summary
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the various AJAX actions in the plugin to do a variety of things. For example, an attacker could use wpcf7r_reset_settings to reset the plugin’s settings, wpcf7r_add_action to add actions to a form, and more.
Severity
No CVSS data available.
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.wordfence.com/blog/2021/04/severe-vul… | x_refsource_MISC |
| https://wpscan.com/vulnerability/def87e69-bade-43… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Query Solutions | Redirection for Contact Form 7 |
Affected:
2.3.4 , < 2.3.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:22.813Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/def87e69-bade-431b-b101-d463a26406e9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Redirection for Contact Form 7",
"vendor": "Query Solutions",
"versions": [
{
"lessThan": "2.3.4",
"status": "affected",
"version": "2.3.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Chloe Chamberland"
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the various AJAX actions in the plugin to do a variety of things. For example, an attacker could use wpcf7r_reset_settings to reset the plugin\u2019s settings, wpcf7r_add_action to add actions to a form, and more."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-14T11:38:17.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/def87e69-bade-431b-b101-d463a26406e9"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Redirection for Contact Form 7 \u003c 2.3.4 - Unprotected AJAX Actions",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24282",
"STATE": "PUBLIC",
"TITLE": "Redirection for Contact Form 7 \u003c 2.3.4 - Unprotected AJAX Actions"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Redirection for Contact Form 7",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.3.4",
"version_value": "2.3.4"
}
]
}
}
]
},
"vendor_name": "Query Solutions"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Chloe Chamberland"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the various AJAX actions in the plugin to do a variety of things. For example, an attacker could use wpcf7r_reset_settings to reset the plugin\u2019s settings, wpcf7r_add_action to add actions to a form, and more."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863 Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/",
"refsource": "MISC",
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/"
},
{
"name": "https://wpscan.com/vulnerability/def87e69-bade-431b-b101-d463a26406e9",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/def87e69-bade-431b-b101-d463a26406e9"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24282",
"datePublished": "2021-05-14T11:38:17.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:28:22.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}