Popular WordPress Plugin Contact Form 7 Found Serious Vulnerability

Popular WordPress Plugin Contact Form 7 Found Serious Vulnerability

A vulnerability has been found in Contact Form 7 that allows a hacker to upload malicious contents. The developers of Contact Form 7 have released an update to fix the vulnerability.

Unrestricted File Upload Vulnerability

Unrestricted file upload vulnerability in a WordPress plugin is when the plugin allows an attacker to upload a web shell (malicious content) that would then be able to take over a site, mess with a database, etc.

A web shell is a malicious script that can be written in any web language that is uploaded to a vulnerable website, automatically processed and used to obtain access, execute orders, tamper the database, and so on

Contact Form 7 calls their most recent update an “instant security and maintenance release.”

According to Contact Form 7:

“An unrestricted file upload vulnerability has been found in Contact Form 7 5.3.1 and older versions.

Utilizing this vulnerability, a form submitter can bypass Contact Form 7’s filename sanitization, and upload a file which can be executed as a script file on the host server.”

A more detailed description of the vulnerability was published on Contact Form 7’s WordPress plugin repository page.

These are the extra details about the vulnerability that was shared on the official WordPress plugin repository for Contact Form 7:

“Removes control, separator, and other types of special characters from filename to fix the unrestricted file upload vulnerability issue.”

Filename Sanitization

Filename sanitization is a reference to a function related to scripts that process uploads. Filename sanitization functions are intended to control what sorts of files (file names) are uploaded by confining specific sorts of files. Filename sanitization also can control file paths.

A filename sanitization function works by blocking certain file names as well as allowing just a limited list of file names.

On account of Contact Form 7, there was an issue in the filename sanitization which made the circumstance where specific sorts of perilous files were unexpectedly allowed.

Vulnerability Fixed in Contact Form 7 Version 7.5.3.2

The filename sanitization vulnerability misuse is fixed in Contact Form 7 version 7 5.3.2.

All versions of Contact Form 7 from 7 5.3.1 and under are viewed as defenseless and should be updated right away.

Reference

Read the Contact Form 7 Changelog.

We at CodeLedge, provide Sweden’s best WordPress Development services. If you are still not sure about managing your website and maintain security, we can help you. Feel free to talk with us at hi@codeledge.net or get a quote from here.