Skip to main content

This popular WordPress plugin has a serious security vulnerability

WordPress logo
(Image credit: Pixabay)

A WordPress plugin with more than five million active installs has issued an urgent update in an effort to patch a critical file upload vulnerability. 

The plugin, Contact Form 7, allows users to add multiple contact forms on their site but was recently found to contain a serious vulnerability by Astra security researchers

The vulnerability is being tracked as CVE-2020-35489 and a patch has been included within the Contact Form 7 5.3.2 update. The Contact Form 7 project has classified the update as “an urgent security and maintenance release” and advised users to install it immediately.

“Our research team led by Jinson Varghese recently discovered a high-severity Unrestricted File Upload vulnerability in the WordPress plugin Contact Form 7 5.3.1 and older versions,” the Astra blog explained.

“By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website. Further, it allows an attacker to inject malicious content such as web shells into the sites that are using the Contact Form 7 plugin version below 5.3.1 and have file upload enabled on the forms.”

Double trouble

The vulnerability concerns a particular part of the Contact Form 7 plugin code that does not remove special characters from uploaded file names. As such, attackers can upload file names with double-extensions separated by a special character. This could potentially allow an attacker to execute arbitrary code on the victim’s server.

The patched version of Contact Form 7 includes a regular expression validation constraint that means that special characters cannot be exploited in the aforementioned way. 

Other double-extension vulnerabilities have been seen elsewhere this year, including one affecting the Drupal CMS platform – a WordPress rival that is used by more than a million websites.

Via BleepingComputer