Contact Form 7 is a popular WordPress plugin that is used to create, customize, and manage multiple contact forms on WordPress sites. A critical file upload vulnerability has been identified in the WordPress Contact Form 7 plugin which allows an attacker to execute arbitrary code on affected WordPress sites. Contact Form 7 is a very popular WordPress plugin and is currently installed on more than 5 million active WordPress websites.
This file upload vulnerability exists in the formatting.php file in the WordPress Contact Form 7 plugin and is identified with CVE-2020-35489. The Contact Form 7’s filename sanitization protection does not validate the filename for special characters (like invisible separators, control characters, or any kind of whitespaces), allowing attackers to upload files of any type and execute arbitrary code. The below figure shows how a validation check for removing such special characters has been added as part of the solution for this vulnerability.
The vulnerability affects WordPress Contact Form 7 plugin versions 5.3.1 and prior.
Note: Sites having Contact Form 7 installed without the file upload functionality are not vulnerable.
- An attacker can upload a web shell and inject malicious scripts.
- An attacker can execute arbitrary code and completely take over the website.
- An attacker can compromise the web server also.
- An attacker can put a phishing page into the website and deface the website.
A fix for this vulnerability has been released. Update WordPress Contact Form 7 plugin to version 5.3.2 or later.