A critical vulnerability has been identified in the popular WordPress plugin, Contact Form 7, which has been installed on approximately 5 million websites. The vulnerability, tracked as CVE-2020-35489, is easy to exploit and can be exploited remotely without the attacker having to authenticate on a vulnerable website.
The vulnerability is classed as an unrestricted file upload bug, according to Astra Security Research, which identified the flaw on Wednesday. That means an unauthenticated attacker could upload any file to the website and bypass form-file type restrictions. An executable binary could be uploaded, for example, which could be executed by the attacker and web shells could be uploaded and used to inject malicious scripts on sites running a vulnerable version of the plugin.
All websites running a vulnerable version of the plugin are at risk of being hijacked. It is also possible to exploit the flaw and compromise the entire server if there is no containerization between websites on the same server.
Astra Security alerted the plugin developer, Takayuki Miyoshi, about the flaw and a quick fix was rapidly released to correct the flaw. The vulnerability has been fixed in version 5.3.2 of the plugin. Around 70% of the active websites with Contact Form 7 installed are running vulnerable versions of the plugin (v 5.3.1 and earlier).
The updated version of the plugin is now being pushed out and the flaw will be corrected automatically if the site owners have configured the plugin to update automatically. All website owners that have Contact Form 7 installed should login to their sites and check they have the latest version of the plugin installed and ensure the plugin is updated to the latest version manually if not.
Jinson Varghese, an information Security Analyst at Astra has been credited with identifying the vulnerability.