CVE-2021-36913 - OpenCVE

Unauthenticated Options Change and Content Injection vulnerability in Qube One Redirection for Contact Form 7 plugin <= 2.4.0 at WordPress allows attackers to change options and inject scripts into the footer HTML. Requires an additional extension (plugin) AccessiBe.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redirection-for-contact-form7	Redirection For Contact Form 7

Configuration 1 [-]

cpe:2.3:a:redirection-for-contact-form7:redirection_for_contact_form_7:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://patchstack.com/database/vulnerability/wpcf7-redirect/wordpress-redirection-for-contact-form-7-plugin-2-4-0-unauthenticated-options-change-vulnerability?_s_id=cve
https://wordpress.org/plugins/wpcf7-redirect/#developers

History

No history.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2022-10-11T17:04:23.133469Z

Updated: 2024-09-16T18:39:39.419Z

Reserved: 2021-07-19T00:00:00

Link: CVE-2021-36913

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-10-11T18:15:09.913

Modified: 2022-10-13T17:09:16.410

Link: CVE-2021-36913

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-36913", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "assignerShortName": "Patchstack", "datePublished": "2022-10-11T17:04:23.133469Z", "dateUpdated": "2024-09-16T18:39:39.419Z", "dateReserved": "2021-07-19T00:00:00"}, "containers": {"cna": {"title": "Redirection for Contact Form 7 <= 2.4.0 - Unauthenticated Options Change and Content Injection vulnerability", "datePublic": "2022-09-29T00:00:00", "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2022-10-11T00:00:00"}, "descriptions": [{"lang": "en", "value": "Unauthenticated Options Change and Content Injection vulnerability in Qube One Redirection for Contact Form 7 plugin <= 2.4.0 at WordPress allows attackers to change options and inject scripts into the footer HTML. Requires an additional extension (plugin) AccessiBe."}], "affected": [{"vendor": "Qube One", "product": "Redirection for Contact Form 7 (WordPress plugin)", "versions": [{"version": "<= 2.4.0", "status": "affected", "lessThanOrEqual": "2.4.0", "versionType": "custom"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/wpcf7-redirect/wordpress-redirection-for-contact-form-7-plugin-2-4-0-unauthenticated-options-change-vulnerability?_s_id=cve"}, {"url": "https://wordpress.org/plugins/wpcf7-redirect/#developers"}], "credits": [{"lang": "en", "value": "Vulnerability discovered by John Castro aka mirphak (Patchstack Alliance)"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-284 Improper Access Control", "cweId": "CWE-284"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"discovery": "EXTERNAL"}, "solutions": [{"lang": "en", "value": "Update to 2.6.0 or higher version."}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:01:59.931Z"}, "title": "CVE Program Container", "references": [{"url": "https://patchstack.com/database/vulnerability/wpcf7-redirect/wordpress-redirection-for-contact-form-7-plugin-2-4-0-unauthenticated-options-change-vulnerability?_s_id=cve", "tags": ["x_transferred"]}, {"url": "https://wordpress.org/plugins/wpcf7-redirect/#developers", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redirection-for-contact-form7:redirection_for_contact_form_7:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "EBA5284F-4DC0-44DF-AE80-CAC937991C90", "versionEndExcluding": "2.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Unauthenticated Options Change and Content Injection vulnerability in Qube One Redirection for Contact Form 7 plugin <= 2.4.0 at WordPress allows attackers to change options and inject scripts into the footer HTML. Requires an additional extension (plugin) AccessiBe."}, {"lang": "es", "value": "Una vulnerabilidad de cambio de opciones sin autenticaci\u00f3n e inyecci\u00f3n de contenido en el plugin Qube One Redirection for Contact Form 7 versiones anteriores a 2.4.0 incluy\u00e9ndola en WordPress, permite a atacantes cambiar opciones e inyectar scripts en el HTML del pie de p\u00e1gina. Requiere una extensi\u00f3n adicional (plugin) AccessiBe"}], "id": "CVE-2021-36913", "lastModified": "2022-10-13T17:09:16.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2022-10-11T18:15:09.913", "references": [{"source": "audit@patchstack.com", "tags": ["Third Party Advisory"], "url": "https://patchstack.com/database/vulnerability/wpcf7-redirect/wordpress-redirection-for-contact-form-7-plugin-2-4-0-unauthenticated-options-change-vulnerability?_s_id=cve"}, {"source": "audit@patchstack.com", "tags": ["Product", "Third Party Advisory"], "url": "https://wordpress.org/plugins/wpcf7-redirect/#developers"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "audit@patchstack.com", "type": "Secondary"}]}