Contact Form 7 WordPress Plugin Vulnerability

A critical WordPress plugin vulnerability has been discovered in Contact Form 7. This utility is currently active on over 5 million websites, with approximately 70% of them running the vulnerable 5.3.1 version or an older release.

By exploiting this vulnerability, attackers can bypass the filename sanitization of Contact Form 7 and upload a file that can be executed as a script on the host server.

Plugin description

Contact Form 7 can manage multiple contact forms. You can customize the form and the mail contents simply with the help of it. The form supports Ajax-powered submitting, Akismet spam filtering, and also CAPTCHA.

The vulnerability

WordPress allows multiple user roles such as contributors, editors, subscribers, authors, etc. In Contact Form 7, this vulnerability allows attackers to bypass Contact Form 7’s filename sanitization. A user can behave like a contributor and be able to edit the content form. This feature should be available only for editors and admins.

By granting this permission, the attacker possesses the capability to upload malicious code, enabling them to tamper with a database and acquire a reverse shell. This action paves the way for subsequent attacks.

What you should do if you have BitNinja installed on your servers

Enable your WAF 2.0 module on the Dashboard, sit back, and enjoy the ultimate server security protection.

tea

What you should do if you don’t have BitNinja installed on your servers

  1. Update Contact Form 7

    The urgent security and maintenance 5.3.2 version is released. We strongly recommend you to update your plugin to it ASAP.

  2. Subscribe to BitNinja ServerProtection

    A vulnerability like this can have irreversible effects. It can lead to profit loss, or even worse: it can damage your reputation.

Sign up for a free trial

Don’t risk your web hosting business! Download BitNinja now and enjoy the free trial with full functionality for 7-days. No credit card needed!

We are always happy to help you! If you have any questions, check out our Knowledgebase; feel free to ask at info@bitninja.io, or you can even reach us on the Dashboard chat!

Have a Hacker-free Festive Season!

trial
If you have no more queries, 
take the next step and sign up!
Don’t worry, the installation process is quick and straightforward!
AICPA SOC BitNinja Server Security
Privacy Shield BitNinja Server Security
GDPR BitNinja Server Security
CCPA BitNinja Server Security
2023 BitNinja. All Rights reserved.
Hexa BitNinja Server SecurityHexa BitNinja Server Security
magnifiercross