Astra security researchers have discovered a dangerous security hole in the widely used WordPress plug-in Contact Form 7. The plug-in has 5 million active installs. It is not known whether attackers are currently exploiting the vulnerability.

With Contact Form 7, website admins can offer visitors various contact forms. Due to a bug in the upload mechanism, attackers could upload any files contaminated with malicious code, the security researchers explain in an article.

In addition, attackers could place a web shell interface for remote access on servers and create their own Execute commands. Successful attacks could give you full control of pages.

Which websites are vulnerable? All versions of Contact Form 7 bis including 5.3.1 are vulnerable. In a warning message, the developers advise admins to quickly install version 5.3.2 , which is protected against these upload attacks . The plug-in requires at least WordPress version 5.4.

A CVE number to identify the security hole has obviously not yet been assigned. A classification of the degree of threat is still pending.

It is also quick The security researchers indicate that Vulnerability in 16. December 2020 and reported to the developers. The patched version of Contact Form 7 appeared just one day later.

In order not to reveal too much information to potential attackers, the security researchers do not want to publish more detailed information on possible attack scenarios for two weeks. So admins still have time to update the plug-in.

(des)