911 Hack Removal

WordPress Plugin Advanced Contact Form 7 DB vulnerable to SQLi

Updated on: March 29, 2020

WordPress Plugin Advanced Contact Form 7 DB vulnerable to SQLi

Article Summary

A very severe SQLi vulnerability has been uncovered in popular WordPress Plugin – Advanced Contact Form 7 DB, having more than 40,000+ active installations. The vulnerability was first reported on March 26th, and the new patched version 1.6.1 has been made live two days ago on 10th of April. However, the current users still have reasons to worry as this vulnerability could be exploited by hackers having even a subscriber’s account.

A very severe SQLi vulnerability has been uncovered in popular WordPress Plugin – Advanced Contact Form 7 DB, which has more than 40,000+ active installations. The contact form 7 vulnerability was first reported on March 26th, and the new patched version 1.6.1 has been made live two days ago on the 10th of April. Although the patched version is here, the current users still have reasons to worry as this vulnerability could be exploited by people having even a subscriber’s account.

Risk Status- Advanced contact form 7 vulnerability

The risks attached to this vulnerability can be put into the critical category for it could be further exploited by ill intenders. This vulnerability could also act as free entry for hackers to insert dirty codes into the database and get access to valuable data.

In a nutshell, these could go wrong:

  • Bad actors could insert malicious content in the database
  • Hackers can leak sensitive data
  • This could also lead to a compromised WordPress installation.

The plugin developers were quick to launch the patched version. Consequently, WordPress did not suspend the plugin as it did with The Yuzo Related Posts plugin only two days ago. The advanced contact form 7 DB is still available for new installations. This is what I got when I searched Advanced Contact Form 7DB in the WordPress Plugins Directory.

Advanced Contact form 7DB on WordPress

Worried about your WordPress Security? Visit Astra Website Security or drop a message on the chat widget, and we’d be happy to help you. Fix my WordPress website now.

Details- Advanced contact form 7 vulnerability

So, WordPress basically has a facility called wp-ajax-parse-media-shortcode for code writers to use a shortcode instead of long ones. Using this, the plugin developers defined the shortcode acf7db in the public/class-advanced-cf7-db-public.php file.

shortcode acf7db

In addition to this, the plugin developers neglected one more pivot detail wpdb::prepare. wpdb::prepare is used to sanitize SQL queries to make way for the valid & authentic ones only. The code writers used wpdb->get_results() instead of wpdb::prepare, which is not a very safe method for Query insertion. The vulnerable codes are depicted in the picture below:

vulnerable codes

The $fid can, consequently take malicious codes as queries, and lead to serious mishaps. However, this must be declared here that no exploitation has yet been reported. It is only a precautionary measure to warn the users in advance.

Needed Action

Update this plugin as quickly as possible to divert any threats that may come near your website. You can then go on to update themes and Reset Passwords. Exploitation of this vulnerability can leak sensitive & confidential data to the attacker.

To protect your website from many such possible attacks you can use Astra’s Malware Scanner which comes for just $19/month. Also, with our VAPT (Vulnerability Assessment and Penetration Testing) offering, our engineers will check your website thoroughly and mend all the possible vulnerabilities.

Take an Astra demo now!

Firewall working
How Astra Web Application Firewall protects you WordPress website

Was this post helpful?

Tags: ,

Aakanchha Keshri

Aakanchha is a technical writer and a cybersecurity enthusiast. She is an avid reader, researcher, and an active contributor to our blog and the cybersecurity genre in general. To date, she has written over 200 blogs for more than 60 domains on topics ranging from technical to promotional. When she is not writing or researching she revels in a game or two of CS: GO.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Patsy
Patsy
7 months ago

For most up-to-date news you have to pay a quick visit the web and on internet I found this
web page as a best web page for most recent updates.

Naman Rastogi
Admin
7 months ago
Reply to  Patsy

Thanks 🙂

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany