Coinbase Commerce for Contact Form 7 Missing Authorization Vulnerability Allowing API Key Modification

A vulnerability exists in the Coinbase Commerce for Contact Form 7 WordPress plugin, specifically in versions up to and including 1.1.2. The issue stems from a lack of proper authorization checks and nonce verification in the 'save_settings' function, which is triggered by the 'admin_post_cccf7_save_settings' hook. This vulnerability enables authenticated attackers with Subscriber-level access or higher to overwrite the plugin's API key option by sending a crafted POST request to '/wp-admin/admin-post'.

Impact

Exploitation of this vulnerability allows for unauthorized modification of the Coinbase Commerce API key used by the plugin, potentially leading to unauthorized actions or transactions on behalf of the user or site.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a POST request to '/wp-admin/admin-post' with the 'action' parameter set to 'cccf7_save_settings'. The request must include the 'cccf7_api_key' parameter with a value that replaces the existing API key. This can be done using a tool like Postman or through a custom script that sends the appropriate request.