The WordFence Threat Intelligence team discovered and responsibly disclosed several vulnerabilities inĀ Redirection for Contact Form 7, a WordPress plugin used by over 200,000 sites in early February. One of these flaws made it possible for unauthenticated attackers to generate arbitrary nonces for any function. The second flaw made it possible for authenticated attackers to install arbitrary plugins and inject PHP Objects. The third flaw made it possible for authenticated attackers to delete arbitrary posts on a site running the plugin causing a loss of availability.
These are considered severe vulnerabilities. Therefore, we highly recommend updating to the latest patched version available immediately.
Full details at https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin