Contact Form 7: Over 5 million WordPress sites affected by critical vulnerability

Reports of vulnerabilities in WordPress plugins have become a daily thing and while most of these flaws are detected in time, this is not the only key factor in preventing their exploitation. A cybersecurity firm has reported the finding of a new flaw in Contact Form 7, a popular plugin for creating multiple forms. If exploited, this vulnerability would allow threat actors to escalate privileges on the vulnerable site. 

A hacker who manages to exploit the vulnerability could perform various malicious activities, such as modifying content, redirecting visitors to unknown sites, stealing information and could even take full control of the target site and block access to the legitimate administrator. On top of that, Google could detect this anomalous behavior and arbitrarily block the site, complicating the recovery process.

About the vulnerability

Contact Form 7 content is stored in a folder called wp-content on each WordPress site; this folder contains data related to the content of the site, but does not store sensitive information. According to cybersecurity specialists, if a hacker manages to access the files outside this folder, the target user faces multiple security issues due to the confidential nature of its content.

It is assumed that only site administrators can modify the content of shapes created with Contact Form 7, a function controlled by a parameter called capability_type, which defines user permissions. A security flaw in this parameter allows any user, regardless of their privilege level, to make changes to the forms.

A second attack scenario can be triggered by modifying the type of accepted files in a Contact Form 7 form. Some forms ask users to upload files in various formats (PDF, JPG, and GIF among others); by exploiting the vulnerability, a threat actor could alter the plugin settings to load executables (PHP, ASP and others) to the target site and deploy other attack variants, cybersecurity specialists mentioned.

The report was sent to the plugin developers, which fixed the bug with the release of version 5.0.4. The International Institute of Cyber Security (IICS) strongly recommends that administrators of vulnerable deployments update to the latest version as soon as possible and protect their websites.