CVE-2023-39920

WordPress Redirection for Contact Form 7 plugin <= 2.9.2 - Broken Access Control vulnerability

CVSS 7.5 HIGHEPSS 0.6%CWE-862

In short

The Redirection for Contact Form 7 WordPress plugin fails to properly check user permissions, allowing unauthorized users to access or modify redirect settings that should be restricted. This can let attackers change where form submissions are sent or access sensitive configuration.

Technical detail

Missing authorization checks in the plugin's access control mechanism allow unauthenticated or low-privileged users to exploit improperly configured security levels and access/modify redirection functionality. An attacker without proper permissions can manipulate form redirect endpoints through direct API or interface access, potentially compromising data flow and user experience.

Summary generated and translated by AI from the official description.

Missing Authorization vulnerability in Themeisle Redirection for Contact Form 7 wpcf7-redirect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Redirection for Contact Form 7: from n/a through <= 2.9.2.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Themeisle · Redirection for Contact Form 7

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://patchstack.com/database/Wordpress/Plugin/wpcf7-redirect/vulnerability/wordpress-redirection-for-contact-form-7-plugin-2-9-2-broken-access-control-vulnerability?_s_id=cve