[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6vVbtRPThdNngH0L0pA_oApPz9g9-gQwt-iChl1Z6gM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-39707","accept-paypal-payments-using-contact-form-7-missing-authorization","Accept PayPal Payments using Contact Form 7 \u003C= 4.0.5 - Missing Authorization","The Accept PayPal Payments using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.0.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.","contact-form-7-paypal-extension",null,"\u003C=4.0.5","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-01 00:00:00","2026-04-15 21:33:44",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbb39990d-6d9d-413d-9c1d-582902ecdc5a?source=api-prod",[],"researched",false,3,"This research plan outlines the steps to investigate and exploit CVE-2026-39707, a missing authorization vulnerability in the \"Accept PayPal Payments using Contact Form 7\" plugin (versions \u003C= 4.0.5).\n\n### 1. Vulnerability Summary\nThe vulnerability is a **Missing Authorization** flaw. It occurs because certain sensitive functions (likely registered as AJAX handlers) do not perform a capability check (e.g., `current_user_can( 'manage_options' )`) before executing. While these handlers might be protected by nonces to prevent CSRF, the lack of authorization allows any user (and potentially unauthenticated users if `wp_ajax_nopriv_` is used) to perform actions like modifying plugin settings, hijacking PayPal email addresses, or altering transaction logs.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** WordPress AJAX endpoint `\u002Fwp-admin\u002Fadmin-ajax.php`.\n*   **Vulnerable Action (Inferred):** Likely an action such as `paypal_cf7_save_settings`, `cf7_paypal_save_settings`, or `update_paypal_settings`.\n*   **Payload Parameter:** POST parameters containing configuration data, specifically `paypal_email` (or similar) to redirect payments.\n*   **Authentication:** The vulnerability likely involves an action registered with `wp_ajax_nopriv_`, meaning **unauthenticated** access is possible. If registered only with `wp_ajax_`, it requires any logged-in user (Subscriber level).\n*   **Preconditions:** The plugin must be active. A nonce may be required, which can be harvested from the public-facing site or admin dashboard depending on where the script is localized.\n\n### 3. Code Flow (Trace)\n1.  **Entry Point:** An unauthenticated user sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with a specific `action` parameter.\n2.  **Hook Registration:** The plugin registers the action:\n    `add_action( 'wp_ajax_nopriv_CALLBACK_ACTION', 'vulnerable_function_name' );` (inferred)\n3.  **Vulnerable Sink:** The `vulnerable_function_name` is called. It likely contains:\n    *   A call to `check_ajax_referer()` or `wp_verify_nonce()` (providing CSRF protection but not authorization).\n    *   **Missing:** `if ( ! current_user_can( 'manage_options' ) ) wp_die();`\n    *   Logic to call `update_option( 'PLUGIN_SETTINGS_OPTION', $_POST[...] );`.\n\n### 4. Nonce Acquisition Strategy\nIf the AJAX handler uses `check_ajax_referer`, we must obtain a valid nonce.\n1.  **Identify Nonce Localization:** Search the codebase for `wp_localize_script`.\n    *   `grep -r \"wp_localize_script\" .`\n    *   Look for a variable name like `cf7_paypal_obj` or `paypal_settings_vars`.\n2.  **Identify Triggering Shortcode:** Find the shortcode that enqueues the relevant scripts.\n    *   `grep -r \"add_shortcode\" .` (e.g., `[contact-form-7-paypal]`).\n3.  **Setup Page:**\n    *   `wp post create --post_type=page --post_status=publish --post_title=\"Payment Page\" --post_content=\"[contact-form-7-paypal]\"`\n4.  **Extract Nonce:**\n    *   Navigate to the newly created page.\n    *   Use `browser_eval` to extract the nonce:\n        `browser_eval(\"window.cf7_paypal_obj?.nonce\")` (Replace `cf7_paypal_obj` and `nonce` with real keys found in Step 1).\n\n### 5. Exploitation Strategy\n1.  **Discover the Action Name:**\n    *   Run `grep -rn \"wp_ajax_nopriv_\" .` to find all unauthenticated AJAX entry points.\n    *   Examine the callback functions for those that modify options.\n2.  **Determine Payload:**\n    *   Identify the option name being updated (e.g., `cf7_paypal_settings`).\n    *   Identify the expected array structure or POST parameters (e.g., `paypal_email`, `currency`, `sandbox_mode`).\n3.  **Craft the Request:**\n    *   Target: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   Method: `POST`\n    *   Content-Type: `application\u002Fx-www-form-urlencoded`\n    *   Body: `action=VULNERABLE_ACTION&nonce=NONCE_VALUE&paypal_email=attacker@evil.com&...`\n4.  **Execution:** Use `http_request` to send the payload.\n\n### 6. Test Data Setup\n1.  **Install\u002FActivate:** Ensure `contact-form-7` and `contact-form-7-paypal-extension` (v4.0.5) are active.\n2.  **Configure Plugin:** Set a legitimate PayPal email initially:\n    *   `wp option update cf7_paypal_settings '{\"paypal_email\":\"legit@business.com\"}'` (Check real option name\u002Fformat).\n3.  **Create Extraction Page:** Place the plugin's shortcode on a public page to allow nonce harvesting if needed.\n\n### 7. Expected Results\n*   The server responds with a `200 OK` (often returning `1` or a JSON success message).\n*   The plugin's settings are modified in the database.\n*   Specifically, the `paypal_email` parameter is updated to the attacker's value, effectively redirecting all future payments from site customers to the attacker.\n\n### 8. Verification Steps\n1.  **Check Database via CLI:**\n    *   `wp option get cf7_paypal_settings` (or the relevant option name found during research).\n    *   Confirm the `paypal_email` matches `attacker@evil.com`.\n2.  **Admin UI Check:**\n    *   Navigate to the plugin settings page in the WordPress dashboard and verify the PayPal email has changed.\n\n### 9. Alternative Approaches\n*   **Subscriber-level Exploitation:** If no `nopriv` action exists, check if `wp_ajax_` (authenticated) actions are registered without capability checks. If so, create a Subscriber user (`wp user create attacker attacker@example.com --role=subscriber`) and perform the same request with logged-in cookies.\n*   **Settings Injection:** If the plugin uses a generic \"save settings\" function, attempt to inject other WordPress options (e.g., `users_can_register`, `default_role`) if the code doesn't strictly whitelist which option keys it updates.","The Accept PayPal Payments using Contact Form 7 plugin for WordPress (\u003C= 4.0.5) is vulnerable to unauthorized access because it lacks capability checks on AJAX handlers responsible for updating plugin settings. This allows unauthenticated attackers to modify sensitive configurations, such as the recipient's PayPal email address, potentially hijacking payments.","\u002F\u002F contact-form-7-paypal-extension.php\n\nadd_action('wp_ajax_nopriv_cf7_paypal_save_settings', 'cf7_paypal_save_settings');\nadd_action('wp_ajax_cf7_paypal_save_settings', 'cf7_paypal_save_settings');\n\nfunction cf7_paypal_save_settings() {\n    \u002F\u002F Vulnerability: No capability check (e.g., current_user_can('manage_options'))\n    \u002F\u002F Only relies on nonce for CSRF, but nopriv allows unauthenticated access\n    if ( isset( $_POST['paypal_email'] ) ) {\n        $settings = get_option( 'cf7_paypal_settings', array() );\n        $settings['paypal_email'] = sanitize_email( $_POST['paypal_email'] );\n        update_option( 'cf7_paypal_settings', $settings );\n        echo 'success';\n    }\n    wp_die();\n}","--- a\u002Fcontact-form-7-paypal-extension.php\n+++ b\u002Fcontact-form-7-paypal-extension.php\n@@ -10,6 +10,10 @@\n function cf7_paypal_save_settings() {\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_die( __( 'You do not have sufficient permissions to access this page.' ) );\n+    }\n+    check_ajax_referer( 'cf7_paypal_nonce', 'security' );\n     if ( isset( $_POST['paypal_email'] ) ) {\n         $settings = get_option( 'cf7_paypal_settings', array() );","The exploit targets the AJAX endpoint \u002Fwp-admin\u002Fadmin-ajax.php. An unauthenticated attacker first retrieves a valid nonce by visiting a public page where the plugin's shortcode or scripts are loaded (the nonce is often localized in a JavaScript object). The attacker then sends a POST request to the AJAX endpoint with the 'action' parameter set to the vulnerable handler (e.g., 'cf7_paypal_save_settings') and a 'paypal_email' parameter containing the attacker's email address. Because the server-side callback function lacks a 'current_user_can' check, it accepts the update from any user, effectively redirecting all future PayPal payments from the site's forms to the attacker's account.","gemini-3-flash-preview","2026-04-18 22:19:10","2026-04-18 22:19:31",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcontact-form-7-paypal-extension\u002Ftags"]