Wordpress Plugin Advanced Contact Form 7 DB vulnerable to SQLi

A very severe SQLi vulnerability has been uncovered in popular WordPress Plugin – Advanced Contact Form 7 DB, which has more than 40,000+ active installations. The contact form 7 vulnerability was first reported on March 26th, and the new patched version 1.6.1 has been made live two days ago on the 10th of April. Although the patched version is here, the current users still have reasons to worry as this vulnerability could be exploited by people having even a subscriber’s account.

Risk Status- Advanced contact form 7 vulnerability

The risks attached to this vulnerability can be put into the critical category for it could be further exploited by ill intenders. This vulnerability could also act as free entry for hackers to insert dirty codes into the database and get access to valuable data.

In a nutshell, these could go wrong:

  • Bad actors could insert malicious content in the database
  • Hackers can leak sensitive data
  • This could also lead to a compromised WordPress installation.

The plugin developers were quick to launch the patched version. Consequently, WordPress did not suspend the plugin as it did with The Yuzo Related Posts plugin only two days ago. The advanced contact form 7 DB is still available for new installations. This is what I got when I searched Advanced Contact Form 7DB in the WordPress Plugins Directory.

Advanced Contact form 7DB on WordPress

Worried about your WordPress Security? Visit Astra Website Security or drop a message on the chat widget, and we’d be happy to help you. Fix my WordPress website now.

Details- Advanced contact form 7 vulnerability

So, WordPress basically has a facility called wp-ajax-parse-media-shortcode for code writers to use a shortcode instead of long ones. Using this, the plugin developers defined the shortcode acf7db in the public/class-advanced-cf7-db-public.php file.

shortcode acf7db

In addition to this, the plugin developers neglected one more pivot detail wpdb::prepare. wpdb::prepare is used to sanitize SQL queries to make way for the valid & authentic ones only. The code writers used wpdb->get_results() instead of wpdb::prepare, which is not a very safe method for Query insertion. The vulnerable codes are depicted in the picture below:

vulnerable codes

The $fid can, consequently take malicious codes as queries, and lead to serious mishaps. However, this must be declared here that no exploitation has yet been reported. It is only a precautionary measure to warn the users in advance.

Needed Action

Update this plugin as quickly as possible to divert any threats that may come near your website. You can then go on to update themes and Reset Passwords. Exploitation of this vulnerability can leak sensitive & confidential data to the attacker.

To protect your website from many such possible attacks you can use Astra’s Malware Scanner which comes for just $19/month. Also, with our VAPT (Vulnerability Assessment and Penetration Testing) offering, our engineers will check your website thoroughly and mend all the possible vulnerabilities.

Take an Astra demo now!

Firewall working
How Astra Web Application Firewall protects you WordPress website

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Aakanchha Keshri

A tech enthusiast. She loves to learn and write about CMS security. And a Potterhead.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close