A critical vulnerability was found in Contact Form 7. The WordPress utility is activated on more than 5 million websites, and 70% of these are running the unprotected 5.3.1 version or older. The vulnerability allows attackers to bypass Contact Form 7’s filename sanitization and upload a file that can be executed as a script file on the host server.
Contact Form 7 can manage multiple contact forms. You can customize the form and the mail contents simply with the help of it. The form supports Ajax-powered submitting, Akismet spam filtering, and also CAPTCHA.
WordPress allows multiple user roles such as contributors, editors, subscribers, authors, etc. In Contact Form 7, this vulnerability allows attackers to bypass Contact Form 7’s filename sanitization. A user can behave like a contributor and be able to edit the content form. This feature should be available only for editors and admins. With this permission, the attacker can also upload a malicious code that can be used to tamper with a database and obtain a reverse shell, opening the way for further attacks.
Enable your WAF 2.0 module on the Dashboard, sit back, and enjoy the ultimate server security protection.
Sign up for a free trial
Don’t risk your web hosting business! Download BitNinja now and enjoy the free trial with full functionality for 7-days. No credit card needed!
We are always happy to help you! If you have any questions, check out our Knowledgebase; feel free to ask at firstname.lastname@example.org, or you can even reach us on the Dashboard chat!
Have a Hacker-free Festive Season!
Start the 7-day free trial with full functionality without spending a cent.
After the “Hello, Peppa!” zero-day botnet, our Attack Vector Miner detected another zero-day...
At the end of the last year, we made...