A WordPress (opens in new tab) plugin with more than five million active installs has issued an urgent update in an effort to patch a critical file upload vulnerability.
The plugin, Contact Form 7, allows users to add multiple contact forms on their site but was recently found to contain a serious vulnerability by Astra (opens in new tab) security researchers
The vulnerability is being tracked as CVE-2020-35489 and a patch has been included within the Contact Form 7 5.3.2 update. The Contact Form 7 project has classified the update as “an urgent security and maintenance release” and advised users to install it immediately.
- We've highlighted the best website builder (opens in new tab)
- We've assembled a list of the best WordPress hosting companies (opens in new tab)
- These are the best free website builders (opens in new tab) around
“Our research team led by Jinson Varghese recently discovered a high-severity Unrestricted File Upload vulnerability in the WordPress plugin Contact Form 7 5.3.1 and older versions,” the Astra blog explained (opens in new tab).
“By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website. Further, it allows an attacker to inject malicious content such as web shells into the sites that are using the Contact Form 7 plugin version below 5.3.1 and have file upload enabled on the forms.”
The vulnerability concerns a particular part of the Contact Form 7 plugin code that does not remove special characters from uploaded file names. As such, attackers can upload file names with double-extensions separated by a special character. This could potentially allow an attacker to execute arbitrary code on the victim’s server.
The patched version of Contact Form 7 includes a regular expression validation constraint that means that special characters cannot be exploited in the aforementioned way.
Other double-extension vulnerabilities have been seen elsewhere this year, including one affecting the Drupal CMS platform – a WordPress rival that is used by more than a million websites.
- Also check out our roundup of the best antivirus (opens in new tab) tools
Via BleepingComputer (opens in new tab)