Headline
CVE-2021-24565: Changeset 2570402 – WordPress Plugin Repository
The Contact Form 7 Captcha WordPress plugin before 0.0.9 does not have any CSRF check in place when saving its settings, allowing attacker to make a logged in user with the manage_options change them. Furthermore, the settings are not escaped when output in attributes, leading to a Stored Cross-Site Scripting issue.
contact-form-7-simple-recaptcha/tags/0.0.9/contact-form-7-simple-recaptcha.php
r2381935
r2570402
3
3
Plugin Name: Contact Form 7 Captcha
4
4
Description: Add No CAPTCHA reCAPTCHA to Contact Form 7 using [cf7sr-simple-recaptcha] shortcode
5
Version: 0.0.8
5
Version: 0.0.9
6
6
Author: 247wd
7
7
*/
…
…
53
53
$cf7sr = true;
54
54
$cf7sr\_key = get\_option('cf7sr\_key');
55
return '<div id="cf7sr-' . uniqid() . '" class="cf7sr-g-recaptcha" data-sitekey="' . $cf7sr\_key
56
. '"></div><span class="wpcf7-form-control-wrap cf7sr-g-recaptcha-invalid"></span>';
55
return '<div id="cf7sr-' . uniqid() . '" class="cf7sr-g-recaptcha" data-sitekey="' . esc\_attr($cf7sr\_key)
56
. '"></div><span class="wpcf7-form-control-wrap cf7sr-recaptcha"><input type="hidden" name="cf7sr-recaptcha" value="" class="wpcf7-form-control"></span>';
57
57
}
58
58
add\_shortcode('cf7sr-simple-recaptcha', 'cf7sr\_shortcode');
…
…
83
83
84
84
if (empty($data\['g-recaptcha-response'\])) {
85
$result->invalidate(array('type' => 'captcha', 'name' => 'cf7sr-g-recaptcha-invalid'), $message);
85
$result->invalidate(array('type' => 'captcha', 'name' => 'cf7sr-recaptcha'), $message);
86
86
return $result;
87
87
}
…
…
93
93
$response = json\_decode($body);
94
94
if (!(isset ($response->success) && 1 == $response->success)) {
95
$result->invalidate(array('type' => 'captcha', 'name' => 'cf7sr-g-recaptcha-invalid'), $message);
95
$result->invalidate(array('type' => 'captcha', 'name' => 'cf7sr-recaptcha'), $message);
96
96
}
97
97
…
…
117
117
return;
118
118
}
119
if (!empty ($\_POST\['update'\])) {
120
$cf7sr\_key = !empty ($\_POST\['cf7sr\_key'\]) ? sanitize\_text\_field($\_POST\['cf7sr\_key'\]) : '';
119
if (
120
! empty ($\_POST\['update'\])
121
&& ! empty($\_POST\['cf7sr\_nonce'\])
122
&& wp\_verify\_nonce($\_POST\['cf7sr\_nonce'\],'cf7sr\_update\_settings' )
123
) {
124
$cf7sr\_key = ! empty ($\_POST\['cf7sr\_key'\]) ? sanitize\_text\_field($\_POST\['cf7sr\_key'\]) : '';
121
125
update\_option('cf7sr\_key', $cf7sr\_key);
122
126
123
$cf7sr\_secret = !empty ($\_POST\['cf7sr\_secret'\]) ? sanitize\_text\_field($\_POST\['cf7sr\_secret'\]) : '';
127
$cf7sr\_secret = ! empty ($\_POST\['cf7sr\_secret'\]) ? sanitize\_text\_field($\_POST\['cf7sr\_secret'\]) : '';
124
128
update\_option('cf7sr\_secret', $cf7sr\_secret);
125
129
126
$cf7sr\_message = !empty ($\_POST\['cf7sr\_message'\]) ? sanitize\_text\_field($\_POST\['cf7sr\_message'\]) : '';
130
$cf7sr\_message = ! empty ($\_POST\['cf7sr\_message'\]) ? sanitize\_text\_field($\_POST\['cf7sr\_message'\]) : '';
127
131
update\_option('cf7sr\_message', $cf7sr\_message);
128
132
…
…
146
150
<form action="<?php echo $\_SERVER\['REQUEST\_URI'\]; ?>" method="POST">
147
151
<input type="hidden" value="1" name="update">
152
<?php wp\_nonce\_field( 'cf7sr\_update\_settings', 'cf7sr\_nonce' ); ?>
148
153
<ul>
149
<li><input type="text" style="width: 370px;" value="<?php echo $cf7sr\_key; ?>" name="cf7sr\_key"> Site key</li>
150
<li><input type="text" style="width: 370px;" value="<?php echo $cf7sr\_secret; ?>" name="cf7sr\_secret"> Secret key</li>
151
<li><input type="text" style="width: 370px;" value="<?php echo $cf7sr\_message; ?>" name="cf7sr\_message"> Invalid captcha error message</li>
154
<li><input type="text" style="width: 370px;" value="<?php echo esc\_attr($cf7sr\_key); ?>" name="cf7sr\_key"> Site key</li>
155
<li><input type="text" style="width: 370px;" value="<?php echo esc\_attr($cf7sr\_secret); ?>" name="cf7sr\_secret"> Secret key</li>
156
<li><input type="text" style="width: 370px;" value="<?php echo esc\_attr($cf7sr\_message); ?>" name="cf7sr\_message"> Invalid captcha error message</li>
152
157
</ul>
153
158
<input type="submit" class="button-primary" value="Save Settings">
contact-form-7-simple-recaptcha/tags/0.0.9/readme.txt
r2381935
r2570402
4
4
Tags: captcha, recaptcha, new recaptcha, contact form 7, no captcha
5
5
Requires at least: 4.1.2
6
Tested up to: 5.5.1
7
Stable tag: 0.0.8
6
Tested up to: 5.8
7
Stable tag: 0.0.9
8
8
License: GPLv2 or later
9
9
License URI: http://www.gnu.org/licenses/gpl-2.0.html
…
…
18
18
Protect your Contact Form 7 forms from spam and abuse.<br>
19
19
Can be used to protect multiple forms on same page.<br>
20
Tested with Contact Form 7 version 5.2.2 and WordPress version 5.5.1<br>
20
Tested with Contact Form 7 version 5.4.2 and WordPress version 5.8<br>
21
21
Configure plugin from Settings => CF7 Simple Recaptcha.<br>
22
22
After configuration, add [cf7sr-simple-recaptcha] to any Contact Form 7 form.<br>
23
Added CSRF check and escaped attributes in Settings page.
23
24
24
25
== Installation ==
contact-form-7-simple-recaptcha/trunk/contact-form-7-simple-recaptcha.php
r2381935
r2570402
3
3
Plugin Name: Contact Form 7 Captcha
4
4
Description: Add No CAPTCHA reCAPTCHA to Contact Form 7 using [cf7sr-simple-recaptcha] shortcode
5
Version: 0.0.8
5
Version: 0.0.9
6
6
Author: 247wd
7
7
*/
…
…
53
53
$cf7sr = true;
54
54
$cf7sr\_key = get\_option('cf7sr\_key');
55
return '<div id="cf7sr-' . uniqid() . '" class="cf7sr-g-recaptcha" data-sitekey="' . $cf7sr\_key
56
. '"></div><span class="wpcf7-form-control-wrap cf7sr-g-recaptcha-invalid"></span>';
55
return '<div id="cf7sr-' . uniqid() . '" class="cf7sr-g-recaptcha" data-sitekey="' . esc\_attr($cf7sr\_key)
56
. '"></div><span class="wpcf7-form-control-wrap cf7sr-recaptcha"><input type="hidden" name="cf7sr-recaptcha" value="" class="wpcf7-form-control"></span>';
57
57
}
58
58
add\_shortcode('cf7sr-simple-recaptcha', 'cf7sr\_shortcode');
…
…
83
83
84
84
if (empty($data\['g-recaptcha-response'\])) {
85
$result->invalidate(array('type' => 'captcha', 'name' => 'cf7sr-g-recaptcha-invalid'), $message);
85
$result->invalidate(array('type' => 'captcha', 'name' => 'cf7sr-recaptcha'), $message);
86
86
return $result;
87
87
}
…
…
93
93
$response = json\_decode($body);
94
94
if (!(isset ($response->success) && 1 == $response->success)) {
95
$result->invalidate(array('type' => 'captcha', 'name' => 'cf7sr-g-recaptcha-invalid'), $message);
95
$result->invalidate(array('type' => 'captcha', 'name' => 'cf7sr-recaptcha'), $message);
96
96
}
97
97
…
…
117
117
return;
118
118
}
119
if (!empty ($\_POST\['update'\])) {
120
$cf7sr\_key = !empty ($\_POST\['cf7sr\_key'\]) ? sanitize\_text\_field($\_POST\['cf7sr\_key'\]) : '';
119
if (
120
! empty ($\_POST\['update'\])
121
&& ! empty($\_POST\['cf7sr\_nonce'\])
122
&& wp\_verify\_nonce($\_POST\['cf7sr\_nonce'\],'cf7sr\_update\_settings' )
123
) {
124
$cf7sr\_key = ! empty ($\_POST\['cf7sr\_key'\]) ? sanitize\_text\_field($\_POST\['cf7sr\_key'\]) : '';
121
125
update\_option('cf7sr\_key', $cf7sr\_key);
122
126
123
$cf7sr\_secret = !empty ($\_POST\['cf7sr\_secret'\]) ? sanitize\_text\_field($\_POST\['cf7sr\_secret'\]) : '';
127
$cf7sr\_secret = ! empty ($\_POST\['cf7sr\_secret'\]) ? sanitize\_text\_field($\_POST\['cf7sr\_secret'\]) : '';
124
128
update\_option('cf7sr\_secret', $cf7sr\_secret);
125
129
126
$cf7sr\_message = !empty ($\_POST\['cf7sr\_message'\]) ? sanitize\_text\_field($\_POST\['cf7sr\_message'\]) : '';
130
$cf7sr\_message = ! empty ($\_POST\['cf7sr\_message'\]) ? sanitize\_text\_field($\_POST\['cf7sr\_message'\]) : '';
127
131
update\_option('cf7sr\_message', $cf7sr\_message);
128
132
…
…
146
150
<form action="<?php echo $\_SERVER\['REQUEST\_URI'\]; ?>" method="POST">
147
151
<input type="hidden" value="1" name="update">
152
<?php wp\_nonce\_field( 'cf7sr\_update\_settings', 'cf7sr\_nonce' ); ?>
148
153
<ul>
149
<li><input type="text" style="width: 370px;" value="<?php echo $cf7sr\_key; ?>" name="cf7sr\_key"> Site key</li>
150
<li><input type="text" style="width: 370px;" value="<?php echo $cf7sr\_secret; ?>" name="cf7sr\_secret"> Secret key</li>
151
<li><input type="text" style="width: 370px;" value="<?php echo $cf7sr\_message; ?>" name="cf7sr\_message"> Invalid captcha error message</li>
154
<li><input type="text" style="width: 370px;" value="<?php echo esc\_attr($cf7sr\_key); ?>" name="cf7sr\_key"> Site key</li>
155
<li><input type="text" style="width: 370px;" value="<?php echo esc\_attr($cf7sr\_secret); ?>" name="cf7sr\_secret"> Secret key</li>
156
<li><input type="text" style="width: 370px;" value="<?php echo esc\_attr($cf7sr\_message); ?>" name="cf7sr\_message"> Invalid captcha error message</li>
152
157
</ul>
153
158
<input type="submit" class="button-primary" value="Save Settings">
contact-form-7-simple-recaptcha/trunk/readme.txt
r2381935
r2570402
4
4
Tags: captcha, recaptcha, new recaptcha, contact form 7, no captcha
5
5
Requires at least: 4.1.2
6
Tested up to: 5.5.1
7
Stable tag: 0.0.8
6
Tested up to: 5.8
7
Stable tag: 0.0.9
8
8
License: GPLv2 or later
9
9
License URI: http://www.gnu.org/licenses/gpl-2.0.html
…
…
18
18
Protect your Contact Form 7 forms from spam and abuse.<br>
19
19
Can be used to protect multiple forms on same page.<br>
20
Tested with Contact Form 7 version 5.2.2 and WordPress version 5.5.1<br>
20
Tested with Contact Form 7 version 5.4.2 and WordPress version 5.8<br>
21
21
Configure plugin from Settings => CF7 Simple Recaptcha.<br>
22
22
After configuration, add [cf7sr-simple-recaptcha] to any Contact Form 7 form.<br>
23
Added CSRF check and escaped attributes in Settings page.
23
24
24
25
== Installation ==