5 million WordPress sites potentially impacted by a Contact Form 7 flaw

The development team behind the Contact Form 7 WordPress plugin discloses an unrestricted file upload vulnerability.

Jinson Varghese Behanan from Astra Security discovered an unrestricted file upload vulnerability in the popular Contact Form 7 WordPress vulnerability. The WordPress plugin allows users to add multiple contact forms on their site.

“By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website.” reads the post published by the Astra Security Research team. “Further, it allows an attacker to inject malicious content such as web shells into the sites that are using the Contact Form 7 plugin version below 5.3.1 and have file upload enabled on the forms.”

The development team already addressed the flaw with the release of the 7 5.3.2 version and urges site admins to upgrade their installs.

Behanan praised the development team that quickly fixed the vulnerability.

The WordPress plugin has over 5 million active installs, attackers can exploit the vulnerability to upload a file that can be executed as a script file on the underlying server.

The issue allows attackers to can bypass the plugin’s filename sanitization.

“Contact Form 7 5.3.2 has been released. This is an urgent security and maintenance release. We strongly encourage you to update to it immediately.” reads the security advisory published by the development team.

“An unrestricted file upload vulnerability has been found in Contact Form 7 5.3.1 and older versions. Utilizing this vulnerability, a form submitter can bypass Contact Form 7’s filename sanitization, and upload a file which can be executed as a script file on the host server.”

Below the disclosure timeline:

December 16, 2020 – Initial discovery of the Unrestricted File Upload vulnerability
December 16, 2020 – The Astra Security Research reached out to the plugin developers and receives an acknowledgment
December 17, 2020 – We send over full vulnerability disclosure details to the Contact Form 7 team
December 17, 2020 – After fixing up the vulnerability the initial insufficient patch was released
December 17, 2020 – We provided more details about the vulnerability to the plugin developers
December 17, 2020 – The final sufficient patch is released in the plugin version 5.3.2

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.