Contact Form 7 Order Replay Vulnerability

A vulnerability allowing order replay has been identified in the Contact Form 7 plugin for WordPress, affecting all versions through 6.0.5. The issue arises in the Stripe integration module, specifically within the 'wpcf7_stripe_skip_spam_check' function. This vulnerability is due to inadequate validation of a user-controlled key, enabling unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. While only the first transaction is processed through Stripe, the plugin erroneously sends a successful email notification for each transaction, potentially misleading administrators into fulfilling each order.

Impact

Exploitation of this vulnerability allows for unauthorized reuse of Stripe PaymentIntents, leading to multiple transactions being falsely reported as successful.

Reproduction

To reproduce this vulnerability, submit a form using the Contact Form 7 plugin with a Stripe payment integration, version 6.0.5 or earlier. The submission should include a Stripe PaymentIntent ID. The 'wpcf7_stripe_skip_spam_check' function will be triggered, allowing the same PaymentIntent to be used for multiple transactions. Only the first transaction will be processed via Stripe, but the plugin will send a confirmation email for each transaction, creating the illusion of multiple successful orders.

Remediation

Users can update to Contact Form 7 version 6.0.6 or a newer patched version to address this vulnerability.