CVE-2021-24278
📋 TL;DR
This vulnerability allows unauthenticated attackers to retrieve valid WordPress nonces (security tokens) for any action via an AJAX endpoint in the Redirection for Contact Form 7 plugin. Any WordPress site using vulnerable versions of this plugin is affected, potentially enabling privilege escalation or unauthorized actions.
💻 Affected Systems
- Redirection for Contact Form 7 WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could use retrieved nonces to perform administrative actions, install malicious plugins/themes, modify site content, or achieve remote code execution by bypassing WordPress security controls.
Likely Case
Attackers would use the nonce to perform actions like creating administrator accounts, modifying plugin settings, or redirecting forms to malicious destinations.
If Mitigated
With proper network segmentation and least privilege, impact would be limited to the WordPress instance itself rather than broader network compromise.
🎯 Exploit Status
Exploitation requires only HTTP requests to the vulnerable AJAX endpoint. No authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.4
Vendor Advisory: https://wordpress.org/plugins/wpcf7-redirect/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Redirection for Contact Form 7'. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.3.4+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
linuxBlock access to the wpcf7r_get_nonce AJAX action via .htaccess or web server configuration
# Add to .htaccess:
RewriteCond %{QUERY_STRING} action=wpcf7r_get_nonce [NC]
RewriteRule ^.*$ - [F,L]
Deactivate plugin
allTemporarily disable the Redirection for Contact Form 7 plugin until patched
wp plugin deactivate wpcf7-redirect
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests to wpcf7r_get_nonce endpoint
- Restrict access to WordPress admin functions and monitor for suspicious nonce usage
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If Redirection for Contact Form 7 version is below 2.3.4, site is vulnerable.Check Version:
wp plugin get wpcf7-redirect --field=versionVerify Fix Applied:
Confirm plugin version is 2.3.4 or higher. Test by attempting to access /wp-admin/admin-ajax.php?action=wpcf7r_get_nonce - should return error or no nonce.📡 Detection & Monitoring
Log Indicators:
- Multiple POST/GET requests to /wp-admin/admin-ajax.php with action=wpcf7r_get_nonce parameter
- Unusual administrative actions from non-admin IP addresses following nonce requests
Network Indicators:
- HTTP requests to WordPress AJAX endpoint with wpcf7r_get_nonce action from external IPs
- Subsequent requests using freshly generated nonces for privileged actions
SIEM Query:
source="web_logs" AND (url="*admin-ajax.php*" AND query="*action=wpcf7r_get_nonce*")🔗 References
- https://wpscan.com/vulnerability/99f30604-d62b-4e30-afcd-b482f8d66413
- https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/
- https://wpscan.com/vulnerability/99f30604-d62b-4e30-afcd-b482f8d66413
- https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin/
