CVE-2021-36913 - Vulnerability Details - OpenCVE

Unauthenticated Options Change and Content Injection vulnerability in Qube One Redirection for Contact Form 7 plugin <= 2.4.0 at WordPress allows attackers to change options and inject scripts into the footer HTML. Requires an additional extension (plugin) AccessiBe.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00261.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Redirection-for-contact-form7	Redirection For Contact Form 7

Configuration 1 [-]

cpe:2.3:a:redirection-for-contact-form7:redirection_for_contact_form_7:*:*:*:*:*:wordpress:*:*

No data.

No data.

Fixes

Solution

Update to 2.6.0 or higher version.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://patchstack.com/database/vulnerability/wpcf7-redirect/wordpress-redirection-for-contact-form-7-plugin-2-4-0-unauthenticated-options-change-vulnerability?_s_id=cve
https://wordpress.org/plugins/wpcf7-redirect/#developers

History

Thu, 20 Feb 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2022-10-11T17:04:23.133Z

Updated: 2025-02-20T19:59:21.400Z

Reserved: 2021-07-19T00:00:00.000Z

Link: CVE-2021-36913

Vulnrichment

Updated: 2024-08-04T01:01:59.931Z

NVD

Status : Modified

Published: 2022-10-11T18:15:09.913

Modified: 2024-11-21T06:14:17.557

Link: CVE-2021-36913

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-36913", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "assignerShortName": "Patchstack", "datePublished": "2022-10-11T17:04:23.133Z", "dateUpdated": "2025-02-20T19:59:21.400Z", "dateReserved": "2021-07-19T00:00:00.000Z"}, "containers": {"cna": {"title": "Redirection for Contact Form 7 <= 2.4.0 - Unauthenticated Options Change and Content Injection vulnerability", "datePublic": "2022-09-29T00:00:00.000Z", "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2022-10-11T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "Unauthenticated Options Change and Content Injection vulnerability in Qube One Redirection for Contact Form 7 plugin <= 2.4.0 at WordPress allows attackers to change options and inject scripts into the footer HTML. Requires an additional extension (plugin) AccessiBe."}], "affected": [{"vendor": "Qube One", "product": "Redirection for Contact Form 7 (WordPress plugin)", "versions": [{"version": "<= 2.4.0", "status": "affected", "lessThanOrEqual": "2.4.0", "versionType": "custom"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/wpcf7-redirect/wordpress-redirection-for-contact-form-7-plugin-2-4-0-unauthenticated-options-change-vulnerability?_s_id=cve"}, {"url": "https://wordpress.org/plugins/wpcf7-redirect/#developers"}], "credits": [{"lang": "en", "value": "Vulnerability discovered by John Castro aka mirphak (Patchstack Alliance)"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-284 Improper Access Control", "cweId": "CWE-284"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"discovery": "EXTERNAL"}, "solutions": [{"lang": "en", "value": "Update to 2.6.0 or higher version."}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:01:59.931Z"}, "title": "CVE Program Container", "references": [{"url": "https://patchstack.com/database/vulnerability/wpcf7-redirect/wordpress-redirection-for-contact-form-7-plugin-2-4-0-unauthenticated-options-change-vulnerability?_s_id=cve", "tags": ["x_transferred"]}, {"url": "https://wordpress.org/plugins/wpcf7-redirect/#developers", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-20T19:22:45.145097Z", "id": "CVE-2021-36913", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-20T19:59:21.400Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://patchstack.com/database/vulnerability/wpcf7-redirect/wordpress-redirection-for-contact-form-7-plugin-2-4-0-unauthenticated-options-change-vulnerability?_s_id=cve", "tags": ["x_transferred"]}, {"url": "https://wordpress.org/plugins/wpcf7-redirect/#developers", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:01:59.931Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-36913", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-20T19:22:45.145097Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-20T19:22:46.630Z"}}], "cna": {"title": "Redirection for Contact Form 7 <= 2.4.0 - Unauthenticated Options Change and Content Injection vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "Vulnerability discovered by John Castro aka mirphak (Patchstack Alliance)"}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Qube One", "product": "Redirection for Contact Form 7 (WordPress plugin)", "versions": [{"status": "affected", "version": "<= 2.4.0", "versionType": "custom", "lessThanOrEqual": "2.4.0"}]}], "solutions": [{"lang": "en", "value": "Update to 2.6.0 or higher version."}], "datePublic": "2022-09-29T00:00:00.000Z", "references": [{"url": "https://patchstack.com/database/vulnerability/wpcf7-redirect/wordpress-redirection-for-contact-form-7-plugin-2-4-0-unauthenticated-options-change-vulnerability?_s_id=cve"}, {"url": "https://wordpress.org/plugins/wpcf7-redirect/#developers"}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "Unauthenticated Options Change and Content Injection vulnerability in Qube One Redirection for Contact Form 7 plugin <= 2.4.0 at WordPress allows attackers to change options and inject scripts into the footer HTML. Requires an additional extension (plugin) AccessiBe."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2022-10-11T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2021-36913", "state": "PUBLISHED", "dateUpdated": "2025-02-20T19:59:21.400Z", "dateReserved": "2021-07-19T00:00:00.000Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2022-10-11T17:04:23.133Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redirection-for-contact-form7:redirection_for_contact_form_7:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "EBA5284F-4DC0-44DF-AE80-CAC937991C90", "versionEndExcluding": "2.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Unauthenticated Options Change and Content Injection vulnerability in Qube One Redirection for Contact Form 7 plugin <= 2.4.0 at WordPress allows attackers to change options and inject scripts into the footer HTML. Requires an additional extension (plugin) AccessiBe."}, {"lang": "es", "value": "Una vulnerabilidad de cambio de opciones sin autenticaci\u00f3n e inyecci\u00f3n de contenido en el plugin Qube One Redirection for Contact Form 7 versiones anteriores a 2.4.0 incluy\u00e9ndola en WordPress, permite a atacantes cambiar opciones e inyectar scripts en el HTML del pie de p\u00e1gina. Requiere una extensi\u00f3n adicional (plugin) AccessiBe"}], "id": "CVE-2021-36913", "lastModified": "2024-11-21T06:14:17.557", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.7, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-11T18:15:09.913", "references": [{"source": "audit@patchstack.com", "tags": ["Third Party Advisory"], "url": "https://patchstack.com/database/vulnerability/wpcf7-redirect/wordpress-redirection-for-contact-form-7-plugin-2-4-0-unauthenticated-options-change-vulnerability?_s_id=cve"}, {"source": "audit@patchstack.com", "tags": ["Product", "Third Party Advisory"], "url": "https://wordpress.org/plugins/wpcf7-redirect/#developers"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://patchstack.com/database/vulnerability/wpcf7-redirect/wordpress-redirection-for-contact-form-7-plugin-2-4-0-unauthenticated-options-change-vulnerability?_s_id=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product", "Third Party Advisory"], "url": "https://wordpress.org/plugins/wpcf7-redirect/#developers"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "audit@patchstack.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}