News

Contact Form 7: Over 5 million WordPress sites affected by critical vulnerability

Reports of vulnerabilities in WordPress plugins have become a daily thing and while most of these flaws are detected in time, this is not the only key factor in preventing their exploitation. A cybersecurity firm has reported the finding of a new flaw in Contact Form 7, a popular plugin for creating multiple forms. If exploited, this vulnerability would allow threat actors to escalate privileges on the vulnerable site. 

A hacker who manages to exploit the
vulnerability could perform various malicious activities, such as modifying
content, redirecting visitors to unknown sites, stealing information and could
even take full control of the target site and block access to the legitimate
administrator. On top of that, Google
could detect this anomalous behavior and arbitrarily block the site,
complicating the recovery process.

About the
vulnerability

Contact Form 7 content is stored in a folder
called wp-content on each WordPress site; this folder
contains data related to the content of the site, but does not store sensitive
information. According to cybersecurity specialists, if a hacker manages to
access the files outside this folder, the target user faces multiple security
issues due to the confidential nature of its content.

It is assumed that only site administrators can
modify the content of shapes created with Contact Form 7, a function controlled
by a parameter called capability_type, which defines user permissions. A
security flaw in this parameter allows any user, regardless of their privilege
level, to make changes to the forms.

A second attack scenario can be triggered by
modifying the type of accepted files in a Contact Form 7 form. Some forms ask
users to upload files in various formats (PDF, JPG, and GIF among others); by
exploiting the vulnerability, a threat actor could alter the plugin settings to
load executables (PHP, ASP and others) to the target site and deploy other
attack variants, cybersecurity specialists mentioned.

The report was sent to the plugin developers,
which fixed the bug with the release of version 5.0.4. The International Institute of Cyber
Security (IICS)
strongly recommends that administrators of vulnerable
deployments update to the latest version as soon as possible and protect their
websites.

You Might Also Like