Contact Form 7, a popular WordPress plugin used in over 5 million websites, was found to be vulnerable to an unrestricted file upload vulnerability which would allow anyone to upload arbitrary files to the website under certain conditions. Jinson Varghese Behanan, a security researcher from Astra Security found the vulnerability which affects versions 5.3.1 and below, and disclosed it to the plugin developer on December 16. Version 5.3.2 fixing the issue was released the very next day. From the plugin’s WordPress page, it can be seen that only 35% of the total active installations have updated to the latest version at the time of publishing this article.
Due to this reason, technical details about the exploit hasn’t been shared. On analysing the patch applied in the update, the vulnerability seems to occur within the filename validation check in the plugin. Inserting certain special characters in a double extension filename (webshell.php.jpg) seems to bypass the validation checks present in the previous versions and thus result in the upload of executable files to the server. This enables anyone to upload a malicious file like a web shell to the server, provided that the website has file upload feature enabled in Contact Form 7. Vulnerabilities associated with plugins have long been the primary way for most WordPress hacks. Contact Form 7, which is one of the most used plugins, if not the most, is believed to be installed on around 10 million WordPress websites. As a result, the consequences of being vulnerable to unrestricted file upload includes complete system takeover, website defacement, etc. CVE-2020-35489 was assigned to the vulnerability which has been given a CVSS score of 10.0, considering its critical nature.
Jinson, who has found such critical vulnerabilities in other WordPress plugins as well as multiple popular commercial software, reported that even though the specific requirements for a successful exploit narrows down the number of affected websites, it is still recommended that all users update the plugin to the latest version.