WordPress is one of the most popular content management system on the net today powering around 30.3 percent top websites. Contact Form 7 is one of the most popular plugins of WordPress with more than 5 million installations presently. A recent vulnerability has been discovered in the contact form which has been reported by Simon Scannell a german security researcher working at RIPS technologies.

Privilege Escalation in Contact Form 7

Contact Form 7 supports Ajax-powered submitting, CAPTCHA, Akismet spam filtering. Contact Form 7 has suffered a number of vulnerabilities in the past which includes CVE 2018-9035 (CSV formula injection), CVE 2014-6445 (XSS) etc. This time Contact Form 7 v5.0.3 and older versions are affected by a privilege escalation vulnerability. This is most likely because of not specifying the capability_type argument explicitly.

Worried about WordPress redirect hack? Drop us a message on the chat widget and we’d be happy to help you fix it. Secure my WordPress website now.

Reason for Privilege Escalation

Capability_type argument is a string which is used to build the read, edit, and delete capabilities. The 'capability_type' parameter is used as a base to construct capabilities unless they are explicitly set with the 'capabilities' parameter. Since the disclosure of vulnerability the author has specified the capability_type explicitly in the register_post_type() to fix the issue.

WordPress allows multiple user roles as contributors, editors, subscribers, authors etc. Due to this vulnerability a user logged in as a contributor can edit the content form, a feature which is presently the privilege of editors and admins only. This vulnerability is more severe than it seems because of the two features of the contact form 7:

  1. Contact Form 7 allowed absolute file path i.e. /host/home/somefile.pdf. Thus with the ability to edit the form the attacker could access files outside wp-content.
  2. ‘Filetypes’: A non privileged user can tweak the feature filetypes i.e. (filetypes: gif|png|jpg|jpeg) to include files like .php, .asp etc. i.e (filetypes: php|asp) and obtain reverse shells.

Possible Consequences of Privilege Escalation in Contact Form 7

Thus the attacker can put the file type of his choice in the wp-contents directory and obtain a reverse shell paving way for further attacks. As a temporary solution, Takayuki Miyoshi the author of this plugin has disallowed file path that refers to a file placed outside the wp-content directory. Many users have started to complain about file attachment errors on the support forum of contact form-7. To stay secure update to the latest version and Move your files to <your WordPress root>/wp-content/ and replace the line in the File Attachments fields accordingly.

Consult Astra security experts now for immediate malware clean up. Our powerful Firewall safeguards your website from XSS, LFI, RFI, SQL Injection, Bad bots, Automated Vulnerability Scanners and 80+ security threats. Secure my website now.

Clean My Hacked Website Now

Website Malware Cleanup Website Malware Cleanup

Have you been hacked? Do you need help with fixing your website? We provide professional malware cleanup services to get your business back online quickly.

Removal of Security Warnings Removal of Security Warnings

If your website is hacked, your visitors may be shown a warning message. Astra will take the necessary steps to remove your website from the blacklists ASAP.

Astra Website Firewall (WAF) Website Firewall (WAF)

Stop future website hacks with Astra WAF & protect your website. No hassle out-of-the-box security tailored to your technology stack & CMSs like WordPress, Magento, Opencart etc.

Real Human Support Real Human Support

Astra's team of security engineers guide you through your security journey. We believe in customers first, so no waiting in long queues to get your queries answered.

This information is provided as part of the Astra community project. All information should be considered as-is, without guarantees. All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to [email protected]

Astra Pro Plan
Get Started
Malware Cleanup (12h)
Rock-solid Website Firewall
Automatic Malware Scanner
Bad Bot Protection
Blacklist Monitoring
File Upload Scanning
IP & Country Blocking
GDPR Consent Tool