djbaxter

Administrator
Administrator
Moderator
Joined
Jun 28, 2012
Messages
3,512
Reaction score
1,658
A Challenging Exploit: The Contact Form 7 File Upload Vulnerability
by Ram Gall, Wordfence.com
Dec 17, 2020

Contact Form 7, arguably the most widely used WordPress plugin, released a security patch for an unrestricted file upload vulnerability in all versions 5.3.1 and lower. The WordPress plugin directory lists 5+ million sites using Contact Form 7, but we estimate that it has at least 10 million installations.

One of the important features of Contact Form 7 is the ability to allow file uploads as a part of a form submission. While uploaded filenames are sanitized during the upload process, reviewing the patch indicates that an attacker could potentially bypass some of Contact Form 7’s filename sanitization protections when uploading files by adding control characters or invisible separators.

There are a number of mitigations in place within Contact Form 7 that would make this bypass difficult to fully exploit:
  • Any uploaded files are stored temporarily in a folder with a random name, and removed immediately after the file is sent to the form recipient. This means the attacker would need to be able to find the random folder name, which would likely require Directory Indexing to be enabled, and they would need to do so before the randomized directory and uploaded file was removed.
  • Contact Form 7 uses an .htaccess file to disallow direct access to uploaded files which would be necessary to execute code. While this would only work on sites running Apache, it would prevent execution of any uploaded files unless a separate vulnerability was present.
  • The filename must end in an acceptable file extension. This means that only certain Apache configurations would assign a PHP handler to any uploaded file using a double extension.
If you are using Contact Form 7 without the file upload functionality, your site is not vulnerable to attackers looking to exploit this vulnerability. However, we still recommend an immediate update to ensure your site is protected.

Wordfence customers, including Wordfence Premium users and those still running the free version, are protected by the Firewall’s built-in file upload protection which will prevent any attempts to upload known malware or executable PHP files.

The patched version was released early today, Wednesday, December 17, 2020. If your site is one of the many sites using Contact Form 7, we strongly recommend that you update to version 5.3.2 as soon as possible.

While this vulnerability is unlikely to be easily exploitable, due to the prevalence of sites using Contact Form 7, attackers may still end up targeting this vulnerability. Given more time, or published proof of concept code, attackers may find that exploitation of this vulnerability is much easier than is readily apparent now.

Read more...
 
Similar threads
Thread starter Title Forum Replies Date
djbaxter Test your Contact Form 7 on WordPress sites! Recycle Bin 4
rich_marlatt What Wordpress plugins do you recommend for SEO and Schema Markup? Ask a LocalU Expert [PRIVATE] (LocalU) 4
djbaxter WordPress: The NoneNone Brute Force Attacks: Currently Active Websites, Software, and Security 0
djbaxter New features in WordPress 5.6 Websites, Software, and Security 0
djbaxter PHP 8: What WordPress Users Need to Know Websites, Software, and Security 0
djbaxter Speed Test for WordPress sites Websites, Software, and Security 1
djbaxter New WordPress Toolkit from cPanel Websites, Software, and Security 0
djbaxter Facebook & Instagram embeds on WordPress will break soon Websites, Software, and Security 1
djbaxter WordPress 5.5 update breaks plugins: Here’s the fix Websites, Software, and Security 6
Andrew Scherer Hacking QDF with WordPress Plugins Local Content 2
djbaxter Bing URL Submissions Plugin For WordPress Websites, Software, and Security 2
A What Wordpress Website Builder & Theme do you use? (Page speed in mind) Organic SEO 4
A What Wordpress Speed Optimizing Plugins do you use? Websites, Software, and Security 7
djbaxter WordPress Sites Targeted in Large-Scale Attacks Websites, Software, and Security 0
C Don’t we all want to develop fast websites? WordPress fastest page speeds using background images <srcset>, <img>, <picture>, @media, @2x retina Websites, Software, and Security 0
djbaxter Ninja Forms WordPress Plugin: High Severity Vulnerability Patched Websites, Software, and Security 0
djbaxter Critical security flaw in WordPress Jetpack plugin Websites, Software, and Security 0
djbaxter Site Kit by Google WordPress plugin Websites, Software, and Security 11
djbaxter WordPress Rich Reviews Plugin Under Active Attack Websites, Software, and Security 1
djbaxter Malicious WordPress Redirect Campaign Attacking Several Plugins Websites, Software, and Security 1
P New wordpress website Websites, Software, and Security 5
Chris Ratchford Anyone familiar w/ Advanced Custom Fields (for WordPress)? Consultant's Corner 6
brettmandoes Speed Plugin for WordPress sites Websites, Software, and Security 19
Jo Shaer Auto publishing from Wordpress blog to GMB post Google My Business & Google Maps 5
D Google Reviews Widget for WordPress Recycle Bin 0
djbaxter Security vulnerability in WordPress Slick Popup Plugin Websites, Software, and Security 1
djbaxter Stay current with the latest WordPress and Plugins Security Issues with this newsletter Websites, Software, and Security 0
djbaxter Urgent! Serious Security Threat Found in WordPress Plugin Yuzo Related Posts Websites, Software, and Security 1
djbaxter Grammarly Adds Junk Code to WordPress Posts and Pages Websites, Software, and Security 4
djbaxter Vulnerabilities in Two WordPress Plugins Websites, Software, and Security 2
djbaxter WordPress 5.1.1 Patches Critical Vulnerability: Update now Websites, Software, and Security 0
R Free Webinar: Wix, Weebly, Squarespace and WordPress - Which Is Best? Events 0
JoyHawkins Who is Switching to Wordpress 5.0? Websites, Software, and Security 13
djbaxter Google WordPress Plugin to Integrate Analytics, Search Console, AdSense, PageSpeed Websites, Software, and Security 4
Dan Foland Has anyone else been experiencing a rise in Brute Force attacks on WordPress recently? Websites, Software, and Security 4
djbaxter WordPress Alert: PHP 5.6 and 7.0 reach EOL December 2018 Websites, Software, and Security 2
Josh Gill New Wordpress Plugin to Manage GMB Posts Google My Business & Google Maps 12
P Broadband provider blocks wordpress site: Effect on SEO / local search? Local Search 2
P Guide/suggestions for improving my GMB local listing? wordpress plugins? Local Search 14
djbaxter Google Reviews Widget for WordPress Websites, Software, and Security 8
djbaxter WordPress 4.9.8 Released, May Need to Install the Classic Editor Websites, Software, and Security 8
djbaxter WordPress vulnerability, all versions: Check your Author and higher role permissions Websites, Software, and Security 0
djbaxter How to Disable Gutenberg in WordPress Websites, Software, and Security 3
Caroline Google My Business Website PLUS a WordPress one Local Search 8
P Wordpress template for business company Local Search 7
djbaxter WordPress 4.9.4 Fixes Critical Auto Update Bug in 4.9.3 Websites, Software, and Security 0
djbaxter Check your WordPress plugins! Organic SEO 0
dannanelli WordPress Footer Section as a Page Organic SEO 7
djbaxter Marked jump in brute force attacks against WordPress sites Organic SEO 0
G Are any wordpress themes better for local SEO? Local Search 5

Similar threads

Login / Register

Already a member?   LOG IN
Not a member yet?   REGISTER

Most UpVoted Answers

LocalU Podcasts

  Promoted Posts

New advertising option: A review of your product or service posted by a Sterling Sky employee. This will also be shared on the Sterling Sky & LSF Twitter accounts, our Facebook group, LinkedIn, and both newsletters. More...
Google Product Exert


Top Bottom