A vulnerability has been discovered in the popular contact form plugin Contact Form 7 that allows an attacker to upload malicious scripts. This vulnerability was discovered by Astra Security
This allows an attacker to upload a web shell (malicious script) that can then be used to take over a site or mess with the database.
The developers of Contact Form 7 have released an update to fix the vulnerability.
Contact Form 7 calls their latest update an “urgent security and maintenance release.”
From the developers of Contact Form 7:
“An unrestricted file upload vulnerability has been found in Contact Form 7 5.3.1 and older versions. Utilizing this vulnerability, a form submitter can bypass Contact Form 7’s filename sanitization, and upload a file which can be executed as a script file on the host server.”
Filename sanitization works by banning certain file names, allowing only a restricted list of file names. In the case of Contact Form 7, there was an issue in the filename sanitization which created the situation where certain kinds of dangerous files were allowed.
The vulnerability has been fixed in Contact Form 7 Version 18.104.22.168 and we urge website owners to upgrade as soon as possible. Our team are patching any affected client sites with a Care Plan currenty.