The Astra Security Research team has discovered Unrestricted File Upload vulnerability in Contact Form 7, a WordPress plugin installed on 5 Million+ websites.
The Astra Security Research team initially reached out to Contact Form 7 plugin developers via their support forum on December 16, 2020. After receiving the acknowledgment from the plugin developers, we disclosed the full details about this vulnerability on December 17, 2020. On the same day, a final sufficient patch was released. We highly recommend updating the plugin to its latest version, 5.3.2 as of today, immediately.
More details on the vulnerability will be added after a period of two weeks, to give users enough time to update and take necessary action to ensure they’re safe.
Note: If you are using Astra Security’s firewall & malware scanner, you’re automatically protected out of the box. For an even better & wider coverage we’ll recommend installing Astra Security via this method on your WordPress.
Consequences of File Upload Vulnerability in Contact Form 7 (5.3.1 & older versions)
- Possible to upload a web shell and inject malicious scripts
- Complete takeover of the website & server if there is no containerization between websites on the same server
- Defacing the website
- December 16, 2020 – Initial discovery of the Unrestricted File Upload vulnerability
- December 16, 2020 – The Astra Security Research reached out to the plugin developers and receives an acknowledgment
- December 17, 2020 – We send over full vulnerability disclosure details to the Contact Form 7 team
- December 17, 2020 – After fixing up the vulnerability the initial insufficient patch was released
- December 17, 2020 – We provided more details about the vulnerability to the plugin developers
- December 17, 2020 – The final sufficient patch is released in the plugin version 5.3.2
Special mention to the Contact Form 7 plugin developer, Takayuki Miyoshi, who was quick to respond and address the issue keeping in mind the security of the plugin users. Takayuki was quick to respond, take action and release an update which inspires confidence in Contact Form 7’s commitment to security.