WordPress Plugin Contact Form 7 Critical File Upload Vulnerability (CVE-2020-35489)

WordPress Plugin Contact Form 7 Critical File Upload Vulnerability (CVE-2020-35489)

Contact Form 7 is a popular WordPress plugin that is used to create, customize, and manage multiple contact forms on WordPress sites. A critical file upload vulnerability has been identified in the WordPress Contact Form 7 plugin which allows an attacker to execute arbitrary code on affected WordPress sites. Contact Form 7 is a very popular WordPress plugin and is currently installed on more than 5 million active WordPress websites.

This file upload vulnerability exists in the formatting.php file in the WordPress Contact Form 7 plugin and is identified with CVE-2020-35489. The Contact Form 7’s filename sanitization protection does not validate the filename for special characters (like invisible separators, control characters, or any kind of whitespaces), allowing attackers to upload files of any type and execute arbitrary code. The below figure shows how a validation check for removing such special characters has been added as part of the solution for this vulnerability.

 


Affected Versions

The vulnerability affects WordPress Contact Form 7 plugin versions 5.3.1 and prior.

Note: Sites having Contact Form 7 installed without the file upload functionality are not vulnerable.


Impact

  • An attacker can upload a web shell and inject malicious scripts.
  • An attacker can execute arbitrary code and completely take over the website.
  • An attacker can compromise the web server also.
  • An attacker can put a phishing page into the website and deface the website.

Solution

A fix for this vulnerability has been released. Update WordPress Contact Form 7 plugin to version 5.3.2 or later.

Subscribe For More Posts Like This

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
0 0 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments