Contact Form 7 WordPress Plugin Vulnerability

Published: 22/12/2020

A critical vulnerability was found in Contact Form 7. The WordPress utility is activated on more than 5 million websites, and 70% of these are running the unprotected 5.3.1 version or older. The vulnerability allows attackers to bypass Contact Form 7’s filename sanitization and upload a file that can be executed as a script file on the host server.

WordPress allows multiple user roles such as contributors, editors, subscribers, authors, etc. In Contact Form 7, this vulnerability allows attackers to bypass Contact Form 7’s filename sanitization. A user can behave like a contributor and be able to edit the content form. This feature should be available only for editors and admins. With this permission, the attacker can also upload a malicious code that can be used to tamper with a database and obtain a reverse shell, opening the way for further attacks.

The urgent security and maintenance 5.3.2 version is released. We strongly recommend you to update your plugin to it ASAP.