Jinson Varghese Behanan from Astra Security discovered an unrestricted file upload vulnerability in the popular Contact Form 7 WordPress vulnerability. The WordPress plugin allows users to add multiple contact forms on their site.
“By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website.” reads the post published by the Astra Security Research team. “Further, it allows an attacker to inject malicious content such as web shells into the sites that are using the Contact Form 7 plugin version below 5.3.1 and have file upload enabled on the forms.”
The development team already addressed the flaw with the release of the 7 5.3.2 version and urges site admins to upgrade their installs.
Behanan praised the development team that quickly fixed the vulnerability.
The WordPress plugin has over 5 million active installs, attackers can exploit the vulnerability to upload a file that can be executed as a script file on the underlying server.
The issue allows attackers to can bypass the plugin’s filename sanitization.
“Contact Form 7 5.3.2 has been released. This is an urgent security and maintenance release. We strongly encourage you to update to it immediately.” reads the security advisory published by the development team.
“An unrestricted file upload vulnerability has been found in Contact Form 7 5.3.1 and older versions. Utilizing this vulnerability, a form submitter can bypass Contact Form 7’s filename sanitization, and upload a file which can be executed as a script file on the host server.”
Below the disclosure timeline:
December 16, 2020 – Initial discovery of the Unrestricted File Upload vulnerability
December 16, 2020 – The Astra Security Research reached out to the plugin developers and receives an acknowledgment
December 17, 2020 – We send over full vulnerability disclosure details to the Contact Form 7 team
December 17, 2020 – After fixing up the vulnerability the initial insufficient patch was released
December 17, 2020 – We provided more details about the vulnerability to the plugin developers
December 17, 2020 – The final sufficient patch is released in the plugin version 5.3.2
(SecurityAffairs – hacking, WordPress)