Thailand News

Breaking news headlines

Info

WordPress Plugin with 5M+ installs found to be vulnerable

Contact Form 7, a popular WordPress plugin used in over 5 million websites, was found to be vulnerable to an unrestricted file upload vulnerability which would allow anyone to upload arbitrary files to the website under certain conditions. Jinson Varghese Behanan, a security researcher from Astra Security found the vulnerability which affects versions 5.3.1 and below, and disclosed it to the plugin developer on December 16. Version 5.3.2 fixing the issue was released the very next day. From the plugin’s WordPress page, it can be seen that only 35% of the total active installations have updated to the latest version at the time of publishing this article.

Due to this reason, technical details about the exploit hasn’t been shared. On analysing the patch applied in the update, the vulnerability seems to occur within the filename validation check in the plugin. Inserting certain special characters in a double extension filename (webshell.php.jpg) seems to bypass the validation checks present in the previous versions and thus result in the upload of executable files to the server. This enables anyone to upload a malicious file like a web shell to the server, provided that the website has file upload feature enabled in Contact Form 7. Vulnerabilities associated with plugins have long been the primary way for most WordPress hacks. Contact Form 7, which is one of the most used plugins, if not the most, is believed to be installed on around 10 million WordPress websites. As a result, the consequences of being vulnerable to unrestricted file upload includes complete system takeover, website defacement, etc. CVE-2020-35489 was assigned to the vulnerability which has been given a CVSS score of 10.0, considering its critical nature.

Jinson, who has found such critical vulnerabilities in other WordPress plugins as well as multiple popular commercial software, reported that even though the specific requirements for a successful exploit narrows down the number of affected websites, it is still recommended that all users update the plugin to the latest version.

Source: wikinews.org

Wikinews

Share this article:

Share on LinkedIn Share on Reddit Share on WhatsApp

Leave a Reply

Your email address will not be published. Required fields are marked *

george


Thailand News delivers the latest updates and in-depth coverage on all things Thailand. We offer a wide array of topics, including breaking news, politics, tourism, business, culture, lifestyle, and entertainment. Get breaking news and the latest news headlines from Bangkok, Phuket, Pattaya, Chiang Mai, Northern Thailand, Isan, the insurgency-plagued South and Asia.

Related Posts

Microsoft Invests $1 Billion to Boost AI Infrastructure in Thailand

Mor Prom launches a LINE tool to track the effects of PM 2.5 on health

Yahoo Search Ceases Operations in Thailand