CVE-2026-27393

WOW Styler for CF7 – Visual Styler for Contact Form 7 Forms <= 1.7.6 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.8.5
Patched in
6d
Time to patch

Description

The WOW Styler for CF7 – Visual Styler for Contact Form 7 Forms plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.7.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.7.6
PublishedMay 21, 2026
Last updatedMay 26, 2026
Affected plugincf7-styler

What Changed in the Fix

Changes introduced in v1.8.5

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-27393 (WOW Styler for CF7) ## 1. Vulnerability Summary The **WOW Styler for CF7** plugin (versions <= 1.7.6) is vulnerable to **Missing Authorization** in its AJAX handlers. Specifically, functions in `Cf7_Customizer_Admin_Ajax` (located in `admin/class-cf7-cu…

Show full research plan

Exploitation Research Plan: CVE-2026-27393 (WOW Styler for CF7)

1. Vulnerability Summary

The WOW Styler for CF7 plugin (versions <= 1.7.6) is vulnerable to Missing Authorization in its AJAX handlers. Specifically, functions in Cf7_Customizer_Admin_Ajax (located in admin/class-cf7-customizer-admin-ajax.php) check for a CSRF nonce but fail to perform a capability check (e.g., current_user_can('manage_options')). This oversight allows any user—including unauthenticated attackers if the action is registered as nopriv—to modify plugin settings and style schemes.

2. Attack Vector Analysis

  • Vulnerable Endpoint: /wp-admin/admin-ajax.php
  • AJAX Action: cf7cstmzr_save_form_customizer_settings (and potentially cf7cstmzr_new_form_customizer_settings)
  • Authentication: Unauthenticated (per CVE description) or low-privileged users.
  • Payload Parameter: formData (array), nonce, styleSchemeSlug.
  • Preconditions: The attacker must obtain a valid nonce for the cf7cstmzr_save_form_customizer_settings_nonce action.

3. Code Flow

  1. Entry Point: A POST request is sent to admin-ajax.php with action=cf7cstmzr_save_form_customizer_settings.
  2. Nonce Verification: Cf7_Customizer_Admin_Ajax::save_form_customizer_settings() calls check_ajax_referer( 'cf7cstmzr_save_form_customizer_settings_nonce', 'nonce' ).
  3. Missing Authorization: The function proceeds directly to logic without verifying if the requester has administrative privileges.
  4. Data Processing: The formData array is parsed. The code uses explode('_', $name) to reconstruct a nested configuration array ($form_data_array).
  5. Sink: update_option('cf7cstmzr_style_schemes', $style_schemes) is called on line 124, overwriting the global plugin configuration with user-supplied data.

4. Nonce Acquisition Strategy

WordPress nonces for uid=0 (unauthenticated) are often leaked through localized scripts if the plugin enqueues them on the frontend.

  1. Identify the Script: The plugin enqueues scripts using the handle $this->plugin_name (verbatim cf7-styler).
  2. Localization Object: The JS object containing nonces is cf7cstmzr_ajax_object.
  3. Target Variable: cf7cstmzr_ajax_object.save_form_customizer_settings_nonce.
  4. Acquisition Plan:
    • Create a page containing a Contact Form 7 form (since the styler likely enqueues its assets when a form is present).
    • Use the browser_navigate tool to visit the page.
    • Execute browser_eval("window.cf7cstmzr_ajax_object?.save_form_customizer_settings_nonce") to retrieve the token.
    • If that fails, check the site homepage or any page where the plugin's "Live Preview" might be active.

5. Exploitation Strategy

We will perform an unauthorized update of the default styling scheme to change the form text color to red, proving control over site settings.

Step-by-Step Plan:

  1. Request: Use http_request to send a POST to /wp-admin/admin-ajax.php.
  2. Headers: Content-Type: application/x-www-form-urlencoded
  3. Payload:
    action=cf7cstmzr_save_form_customizer_settings
    &nonce=[EXTRACTED_NONCE]
    &styleSchemeSlug=default
    &styleSchemeTitle=Exploited
    &formData[0][name]=cf7cstmzr_form_text_color
    &formData[0][value]=#FF0000
    
    Note: The formData names are prefixed with cf7cstmzr_ which the plugin strips before exploding.

6. Test Data Setup

  1. Install Dependencies: Ensure Contact Form 7 is installed and active.
  2. Create Form: wp eval "if(!get_posts(['post_type'=>'wpcf7_contact_form'])){ WPCF7_ContactForm::save_post(['title'=>'Test Form','form'=>'[text* name]']); }"
  3. Create Page:
    wp post create --post_type=page --post_title="Contact" --post_status=publish --post_content='[contact-form-7 id="TARGET_ID"]'
    
  4. Initialize Plugin: Navigate to the CF7 Styler admin page once as admin to ensure default options are populated.

7. Expected Results

  • HTTP Response: {"success":1,"error":0,"message":"Success: Saved"}
  • Database Change: The WordPress option cf7cstmzr_style_schemes will be updated.

8. Verification Steps

After the exploit, verify the change using WP-CLI:

wp option get cf7cstmzr_style_schemes --format=json

Check if the default -> scheme -> form -> text -> color (reconstructed from form_text_color) is set to #FF0000.

9. Alternative Approaches

Bypassing Sanitization for Defacement

The custom_css field uses sanitize_textarea_field.

} elseif ('custom_css' === $name) {
    $value = sanitize_textarea_field($form_data['value']);
}

An attacker can inject malicious CSS to deface the site:
formData[0][name]=cf7cstmzr_custom_css&formData[0][value]=body { display: none !important; }

Creating New Schemes

Use the cf7cstmzr_new_form_customizer_settings action (requires obtaining the new_form_customizer_settings_nonce) to create arbitrary styling schemes that can be applied to forms via the styleSchemeSlug parameter.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.