This popular WordPress plugin has a serious security vulnerability

News
By Barclay Ballard
published

Patch has been issued for the critical file upload vulnerability

WordPress logo
(Image credit: Pixabay)

A WordPress plugin with more than five million active installs has issued an urgent update in an effort to patch a critical file upload vulnerability. 

The plugin, Contact Form 7, allows users to add multiple contact forms on their site but was recently found to contain a serious vulnerability by Astra security researchers

The vulnerability is being tracked as CVE-2020-35489 and a patch has been included within the Contact Form 7 5.3.2 update. The Contact Form 7 project has classified the update as “an urgent security and maintenance release” and advised users to install it immediately.

“Our research team led by Jinson Varghese recently discovered a high-severity Unrestricted File Upload vulnerability in the WordPress plugin Contact Form 7 5.3.1 and older versions,” the Astra blog explained.

“By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website. Further, it allows an attacker to inject malicious content such as web shells into the sites that are using the Contact Form 7 plugin version below 5.3.1 and have file upload enabled on the forms.”

Double trouble

The vulnerability concerns a particular part of the Contact Form 7 plugin code that does not remove special characters from uploaded file names. As such, attackers can upload file names with double-extensions separated by a special character. This could potentially allow an attacker to execute arbitrary code on the victim’s server.

The patched version of Contact Form 7 includes a regular expression validation constraint that means that special characters cannot be exploited in the aforementioned way. 

Other double-extension vulnerabilities have been seen elsewhere this year, including one affecting the Drupal CMS platform – a WordPress rival that is used by more than a million websites.

Via BleepingComputer

Barclay Ballard
Barclay Ballard

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things.