WordPress plugin Contact Form 7 ver 5.3.1 and older versions are vulnerable to Unrestricted File Upload.
By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions on allowed file types on a website.
An attacker can easily inject malicious content such as web shells into the site that are using the Contact Form 7 plugin version 5.3.1 and older have file upload enabled on the forms.
Consequences of Unrestricted File Upload vulnerability in Contact Form 7 (5.3.1 & older versions)
- Possible to upload a web shell and inject malicious scripts
- Complete takeover of the website & server if there is no containerization between websites on the same server
- Defacing the website
The issue was first reported by Jinson Varghese at ASTRA IT, Inc.
The PoC (Proof of concept) will be displayed on December 31, 2020 at https://wpscan.com/vulnerability/10508, to give users the time to update.
How to remove ‘Contact Form 7’ 5.3.1 plugin vulnerability
Takayuki Miyoshi, the developer of Contact Form 7, was quick in releasing the fix for Contact Form 7 in version 5.3.2
You can fix this issue with the subsequent steps –
- Login to your WordPress Admin
- Go to Plugins from the side menu
- You will see the list of installed plugins. Under Contact Form 7 your will see a Pink bar saying new version is available for with a link to update your plugin.
- Simply click on update now link and it is all done. Once updated your plugin will start showing Contact Form 7 with version 5.3.2.
I hope this post has helped you. If you any query regarding WordPress pl. write back to me at contact@growthtechnosoft.com. Will be happy to help you further.