[Software] This po[CENSORED]r WordPress plugin has a serious security vulnerability

[HiTLeR]

Patch has been issued for the critical file upload vulnerability

 

 

A WordPress plugin with more than five million active installs has issued an urgent update in an effort to patch a critical file upload vulnerability. 

 

The plugin, Contact Form 7, allows users to add multiple contact forms on their site but was recently found to contain a serious vulnerability by Astra security researchers

The vulnerability is being tracked as CVE-2020-35489 and a patch has been included within the Contact Form 7 5.3.2 update. The Contact Form 7 project has classified the update as “an urgent security and maintenance release” and advised users to install it immediately.

 

We've highlighted the best website builder

We've assembled a list of the best WordPress hosting companies

These are the best free website builders around

 

“Our research team led by Jinson Varghese recently discovered a high-severity Unrestricted File Upload vulnerability in the WordPress plugin Contact Form 7 5.3.1 and older versions,” the Astra blog explained.

 

“By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website. Further, it allows an attacker to inject malicious content such as web shells into the sites that are using the Contact Form 7 plugin version below 5.3.1 and have file upload enabled on the forms.”

 

Double trouble

The vulnerability concerns a particular part of the Contact Form 7 plugin code that does not remove special characters from uploaded file names. As such, attackers can upload file names with double-extensions separated by a special character. This could potentially allow an attacker to execute arbitrary code on the victim’s server.

The patched version of Contact Form 7 includes a regular expression validation constraint that means that special characters cannot be exploited in the aforementioned way. 

 

Other double-extension vulnerabilities have been seen elsewhere this year, including one affecting the Drupal CMS platform – a WordPress rival that is used by more than a million websites.