A vulnerability has been identified in Contact Form 7 that could allow an attacker to upload malicious scripts. The Contact Form 7 publishers have released an update to address the vulnerability.
Unrestricted file upload vulnerability
An open file upload vulnerability in a WordPress plugin is that an attacker could use the plugin to upload a web shell (malicious script) that could be used to take over a site, tamper with a database, and so on.
A web shell is a malicious script that can be written in any web language that is uploaded to a vulnerable site, automatically processed and used to gain access, execute commands, tamper with the database, etc.
Contact form 7 calls the latest update an "urgent security and maintenance version".
According to contact form 7::
“An open file upload vulnerability was identified in Contact Form 7 5.3.1 and earlier.
This vulnerability could allow a form submitter to bypass Contact Form 7 filename sanitization and upload a file that can be run as a script file on the host server. "
A more detailed description of the vulnerability has been published on the Contact Form 7 WordPress plugin repository page.
These are the additional details about the vulnerability released in the official WordPress plugin repository for Contact Form 7:
"Removes controls, delimiters, and other types of special characters from the file name to resolve the open file upload vulnerability."
Screenshot of the description of the WordPress plugin changelog update
The screenshot above shows the description of the Contact Form 7 "More Info" plugin that is displayed when updating the plugin from a WordPress installation. The wording is consistent with what was published in the official WordPress repository for the plugin.
Read on below
Disinfection of filenames
Filename cleanup is a reference to a function related to scripts that process uploads. Filename cleanup features control which types of files (filenames) are uploaded by restricting certain types of files. Filename cleanup can also control file paths.
A file name cleanup function blocks certain file names and / or only allows a restricted list of file names.
In the case of Contact Form 7, there was a filename cleanup issue that resulted in certain types of dangerous files being inadvertently allowed.
Fixed vulnerability in Contact Form 7 version 220.127.116.11
The filename cleanup vulnerability exploit was fixed in Contact Form 7 version 7 5.3.2.
All versions of Contact Form 7 from 7 5.3.1 and below are considered vulnerable and should be updated immediately.
Read on below
Read the announcement on the contact form 7
Contact form 7 5.3.2
Read the contact form 7 changelog