A research post from Astra Security is warning WordPress users about a severe vulnerability in the popular WordPress Contact Form 7 plugin. Authored by head researcher Jinson Varghese, the post details a bug CVE-2020-35489 involving the plugin, which is used by roughly 5 million websites worldwide. Created by Takayuki Miyoshi, Contact Form 7 allows WordPress sites to place numerous contact forms on their site as opposed to just one.
The vulnerability in question is classified as an “Unrestricted File Upload” that affects Contact Form 7 versions 5.3.1 and earlier. In short, the bug allows for any kind of file to be uploaded onto a website without any restrictions. Jinson Varghese notes in the Astra Security blog post that this will result in three likely outcomes.
The first is a threat actor uploading a web shell (a remote access tool for attackers) and injecting malicious scripts. Another possibility is an attacker gaining total control of the WordPress site and server. This will only be possible, however, if “there is no containerization between websites on the same server.” Finally, the last possibility for attack outcomes, due to CVE-2020-35489, is opening up a website using Contact Form 7 to be defaced.
CVE-2020-35489 was disclosed to Takayuki Miyoshi by Astra Security’s research team on Dec. 16. The Contact Form 7 team, including Miyoshi, immediately acknowledged the issue and sought to patch the vulnerability. In lightning-fast fashion, the devs released a stable patch for the issue (update 5.3.2). It is highly advised that all users of this WordPress plugin update immediately to the current version of Contact Form 7.
Considering that more than 5 million websites use this plugin, waiting to update is simply a risk not worth taking. (For other tips on securing your WordPress site, see this article by Amy Babinchak.) Anytime a vulnerability is publicly disclosed, threat actors (black hat hackers, nation-state agents, etc.) seek out ways to exploit non-patched sources. It is literally a race against time when a patch to a highly severe vulnerability is released. Don’t wait.
Featured image: Flickr/Nikolay Bachiyski