On December 16, 2020, the Astra Security Research team discovered an Unrestricted File Upload vulnerability in Contact Form 7, a WordPress plugin installed on 5 Million+ websites.
CVE ID: CVE-2020-35489
Contact Form 7 is one of the most popular WordPress plugins that allows its users to add multiple contact forms on their site. The plugin currently has over 5 million active installations. So, any vulnerability in this plugin puts millions of websites at risk of being compromised.
File Upload Vulnerability
Our research team led by Jinson Varghese recently discovered a high-severity Unrestricted File Upload vulnerability in the WordPress plugin Contact Form 7 5.3.1 and older versions. By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website. Further, it allows an attacker to inject malicious content such as web shells into the sites that are using the Contact Form 7 plugin version below 5.3.1 and have file upload enabled on the forms.
The Astra Security Research team initially reached out to Contact Form 7 plugin developers via their support forum on December 16, 2020. After receiving the acknowledgment from the plugin developers, we disclosed the full details about this vulnerability on December 17, 2020. On the same day, a final sufficient patch was released. We highly recommend updating the plugin to its latest version, 5.3.2 as of today, immediately.
Checking the statistics of the plugin, it can be seen that a large number of WordPress websites are still using older versions. We’ve also been getting multiple requests asking for an exploit which has been worrisome. Hence, taking into consideration the millions of websites on older versions and the interest of black hat community, we won’t be releasing a PoC.
Further, we can confirm that WordPress websites not using the upload functionality in Contact Form 7, running the latest version, or using any good security tool are protected from this. We haven’t tracked any active exploitation in the wild until now.
Note: If you are using Astra Security’s firewall & malware scanner, you’re automatically protected out of the box. For an even better & wider coverage we’ll recommend installing Astra Security via this method on your WordPress
Consequences of File Upload Vulnerability in Contact Form 7 (5.3.1 & older versions)
- Possible to upload a web shell and inject malicious scripts
- Complete takeover of the website & server if there is no containerization between websites on the same server
- Defacing the website
December 16, 2020 – Initial discovery of the Unrestricted File Upload vulnerability
December 16, 2020 – The Astra Security Research reached out to the plugin developers and receives an acknowledgment
December 17, 2020 – We send over full vulnerability disclosure details to the Contact Form 7 team
December 17, 2020 – After fixing up the vulnerability the initial insufficient patch was released
December 17, 2020 – We provided more details about the vulnerability to the plugin developers
December 17, 2020 – The final sufficient patch is released in the plugin version 5.3.2
Special mention to the Contact Form 7 plugin developer, Takayuki Miyoshi, who was quick to respond and address the issue keeping in mind the security of the plugin users.Takayuki was quick to respond, take action and release an update which inspires confidence in Contact Form 7’s commitment to security.
As the cyber threat landscape extends one more step towards the internet disruption, threat actors are actively discovering new techniques to bring down online business on their knees. To protect against such plugin vulnerabilities you need to make sure that you have taken all security measures in place for protecting your site and online business.
If you are using the Contact Form 7 plugin version 5.3.1 and below, it is highly recommended to update this WordPress plugin to its latest version i.e. 5.3.2 (at the time of writing).
For best security practices, you can follow the below guides:
- WordPress Security Guide
- DIY WordPress Hack and Malware Removal
- WordPress Security Audit
- Astra’s Free Remote Website Scanner
Feel free to comment your queries & we will be happy to answer them 🙂