Astra Security discovers a vulnerability in Contact 7, a WordPress plugin
The plugin currently has over 5 million active installations. So, any vulnerability in this plugin puts millions of websites at risk of being compromised
The Astra Security Research team has discovered an Unrestricted File Upload vulnerability in Contact Form 7, a WordPress plugin installed on 5 Million+ websites.
Contact Form 7 is one of the most popular WordPress plugins that allows its users to add multiple contact forms on their site. The plugin currently has over 5 million active installations. So, any vulnerability in this plugin puts millions of websites at risk of being compromised.
File Upload Vulnerability
The research team led by Jinson Varghese recently discovered a high-severity Unrestricted File Upload vulnerability in the WordPress plugin Contact Form 7 5.3.1 and older versions. By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website. Further, it allows an attacker to inject malicious content such as web shells into the sites that are using the Contact Form 7 plugin version below 5.3.1 and have file upload enabled on the forms.
The Astra Security Research team initially reached out to Contact Form 7 plugin developers via their support forum on December 16, 2020. After receiving the acknowledgment from the plugin developers, we disclosed the full details about this vulnerability on December 17, 2020. On the same day, a final sufficient patch was released. We highly recommend updating the plugin to its latest version, 5.3.2 as of today, immediately.
More details on the vulnerability will be added after a period of two weeks, to give users enough time to update and take necessary action to ensure they’re safe.
Note: If you are using Astra Security’s firewall & malware scanner, you’re automatically protected out of the box. For an even better & wider coverage we’ll recommend installing Astra Security via this method on your WordPress
Consequences of File Upload Vulnerability in Contact Form 7 (5.3.1 & older versions)
- Possible to upload a web shell and inject malicious scripts
- Complete takeover of the website & server if there is no containerization between websites on the same server
- Defacing the website
Disclosure Timeline
- December 16, 2020 – Initial discovery of the Unrestricted File Upload vulnerability
- December 16, 2020 – The Astra Security Research reached out to the plugin developers and receives an acknowledgment
- December 17, 2020 – We send over full vulnerability disclosure details to the Contact Form 7 team
- December 17, 2020 – After fixing up the vulnerability the initial insufficient patch was released
- December 17, 2020 – We provided more details about the vulnerability to the plugin developers
- December 17, 2020 – The final sufficient patch is released in the plugin version 5.3.2
Special mention to the Contact Form 7 plugin developer, Takayuki Miyoshi, who was quick to respond and address the issue keeping in mind the security of the plugin users. Takayuki was quick to respond, take action and release an update which inspires confidence in Contact Form 7’s commitment to security.
Recommendation
As the cyber threat landscape extends one more step towards the internet disruption, threat actors are actively discovering new techniques to bring down online business on their knees. To protect against such plugin vulnerabilities you need to make sure that you have taken all security measures in place for protecting your site and online business.
If you are using the Contact Form 7 plugin version 5.3.1 and below, it is highly recommended to update this WordPress plugin to its latest version i.e. 5.3.2 (at the time of writing).