Unrestricted File Upload Vulnerability found in Contact Form 7 Plugin

Unrestricted File Upload Vulnerability found in Contact Form 7 Plugin


Contact Form 7 version 5.3.1 and below were found to be vulnerable to unrestricted file upload vulnerability while testing a customer’s website. Contact Form 7 version 5.3.2 with a fix was released on December 17, 2020.

CVE-2020-35489

Summary

Contact Form 7 is a popular WordPress plugin with over 5 million active installations. It was found to be vulnerable to unrestricted file upload, which is a type of vulnerability that can be exploited by attackers to upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types.

On a website that uses the vulnerable version of Contact Form 7 and stores the files on the server itself, an attacker can exploit this vulnerability to upload malicious content such as web shells.

Vulnerability

Checking the statistics of the plugin, it can be seen that a large number of WordPress websites are still using older versions. We’ve also been getting multiple requests asking for an exploit which has been worrisome. Hence, taking into consideration the millions of websites on older versions and the interest of black hat community, we won’t be releasing a PoC.

Further, we can confirm that WordPress websites not using the upload functionality in Contact Form 7, running the latest version, or using any good security tool are protected from this. We haven’t tracked any active exploitation in the wild until now.

Timeline

  • Vulnerability reported to the Contact Form 7 plugin developer โ€“ December 16, 2020.
  • Contact Form 7 update containing the fix to the vulnerability released โ€“ December 17, 2020.

Special mention to the Contact Form 7 plugin developer, Takayuki Miyoshi, who was quick to respond and address the issue keeping in mind the security of the plugin users. Highly appreciate such responsible developers. ๐Ÿ™‚

Recommendation

  • Update to the latest version immediately.
  • If you are using a web application firewall like Astra, you are already protected.

Reference

Written by
Jinson Varghese
Join the discussion