A vulnerability has been discovered in Contact Form 7 that permits an attacker to upload malicious scripts. The publishers of Contact Form 7 have released an update to address this issue.
Unrestricted File Upload Vulnerability
An unrestricted file upload vulnerability in a WordPress plugin occurs when the plugin allows an attacker to upload a web shell (malicious script). This script can take over a site, interfere with a database, and more.
A web shell is a harmful script written in any web language, uploaded to a vulnerable site, automatically processed, and used to gain access, execute commands, tamper with the database, etc.
Contact Form 7 refers to their latest update as an "urgent security and maintenance release."
According to Contact Form 7:
An unrestricted file upload vulnerability has been found in Contact Form 7 5.3.1 and older versions.
Utilizing this vulnerability, a form submitter can bypass Contact Form 7’s filename sanitization and upload a file which can be executed as a script on the host server.
A more detailed description of the vulnerability was shared on Contact Form 7’s WordPress plugin repository page.
Removes control, separator, and other types of special characters from filename to fix the unrestricted file upload vulnerability issue.
Screenshot of WordPress Plugin Changelog Update Description
The screenshot above shows the Contact Form 7 plugin "more info" description that appears when updating the plugin from a WordPress installation. The description matches what is published on the official WordPress repository for the plugin.
Filename Sanitization
Filename sanitization refers to functions in scripts that manage uploads. These functions are designed to control the types of files (file names) that can be uploaded by restricting certain files. Filename sanitization can also control file paths.
A filename sanitization function blocks certain file names and/or allows only a restricted list of file names.
In the case of Contact Form 7, there was an issue in the filename sanitization, which led to certain dangerous files being unintentionally allowed.
Vulnerability Fixed in Contact Form 7 Version 5.3.2
Researchers at a web security company initially discovered the vulnerability.
The filename sanitization vulnerability exploit is fixed in Contact Form 7 version 5.3.2.
All versions of Contact Form 7 from 5.3.1 and earlier are considered vulnerable and should be updated immediately.
Citations
Read the announcement at Contact Form 7
Contact Form 7 Official Website
Read the announcement at Security Company Astra
Unrestricted File Upload Vulnerability found in Contact Form 7
Read the Contact Form 7 Changelog
