A vulnerability has been came upon in Contact Form 7 that permits an attacker to add malicious scripts. The publishers of Contact Form 7 have launched an replace to mend the vulnerability.
Unrestricted File Upload Vulnerability
An unrestricted report add vulnerability in a WordPress plugin is when the plugin permits an attacker to add a internet shell (malicious script) that may then be used to take over a website, tamper with a database and so forth.
A internet shell is a malicious script that may be written in any internet language this is uploaded to a inclined website, mechanically processed and used to realize get entry to, execute instructions, tamper with the database, and many others.
Contact Form 7 calls their newest replace an “urgent security and maintenance release.”
“An unrestricted file upload vulnerability has been found in Contact Form 7 5.3.1 and older versions.
Utilizing this vulnerability, a form submitter can bypass Contact Form 7’s filename sanitization, and upload a file which can be executed as a script file on the host server.”
A extra detailed description of the vulnerability used to be printed on Contact Form 7’s WordPress plugin repository web page.
These are the extra information about the vulnerability that used to be shared at the legitimate WordPress plugin repository for Contact Form 7:
“Removes control, separator, and other types of special characters from filename to fix the unrestricted file upload vulnerability issue.”
Screenshot of WordPress Plugin Changelog Update Description
The screenshot above is of the Contact Form 7 plugin “more info” description this is proven when updating the plugin from a WordPress set up. The wording fits what’s printed at the legitimate WordPress repository for the plugin.
Continue Reading Below
Filename sanitization is a connection with a serve as associated with scripts that procedure uploads. Filename sanitization purposes are designed to regulate what types of information (report names) are uploaded by limiting sure types of information. Filename sanitization may regulate report paths.
A filename sanitization serve as works by blocking off sure report names and/or permitting just a limited record of report names.
In the case of Contact Form 7, there used to be a topic in the filename sanitization which created the location the place sure types of unhealthy information have been by accident allowed.
Vulnerability Fixed in Contact Form 7 Version 18.104.22.168
The filename sanitization vulnerability exploit is mounted in Contact Form 7 model 7 5.3.2.
All variations of Contact Form 7 from 7 5.3.1 and below are thought to be inclined and must be up to date right away.
Continue Reading Below
Read announcement at Contact Form 7
Read the (*7*)