Cybersecurity experts report finding a critical arbitrary file uploading vulnerability in Contact Form 7, a plugin used on millions of WordPress websites. Successful exploitation of this flaw would allow threat actors to take full control of the sites on which the plugin runs. The vulnerability was fixed through the release of the update to Contact Form 7 version 5.3.2.
This tool is present on more than 5 million websites, and experts estimate that most of these run non-updated versions of the plugin. The flaw, identified as CVE-2020-35489, is an unrestricted file upload error, according to an Astra Security Research report.
Takayuki Miyoshi, developer of Contact Form 7, received the report and immediately began working on a correction: “We adhered to the recommended protocols in these cases; the update that fixes this vulnerability has already been released,” the report says.
Jinson Varghese, a researcher who discovered the error, claims that the vulnerability would allow unauthenticated threat actors to bypass security mechanisms in the form loading process in Contact Form 7, allowing them to load an executable binary on sites that use version 5.3.1 or earlier. Subsequently hackers can deploy all kinds of malicious activities, including modifying the target website, redirecting visitors to third-party websites and even deploying phishing campaigns.
The researcher highlighted how easily a threat actor could have exploited the vulnerability remotely: “For users who have the option to update plugins automatically, they should not take additional actions; other users will need to update manually,” concludes the report.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.