Security Vulnerability: Contact Form 7 plugin

A major vulnerability has been found in popular plugin Contact Form 7 allowing hackers to upload malicious scripts.
18 December 2020 | WordPress, WordPress Website Security

A vulnerability has been discovered in the popular contact form plugin Contact Form 7 that allows an attacker to upload malicious scripts. This vulnerability was discovered by Astra Security

This allows an attacker to upload a web shell (malicious script) that can then be used to take over a site or mess with the database.

The developers of Contact Form 7 have released an update to fix the vulnerability.

Contact Form 7 calls their latest update an “urgent security and maintenance release.”

From the developers of Contact Form 7:

“An unrestricted file upload vulnerability has been found in Contact Form 7 5.3.1 and older versions. Utilizing this vulnerability, a form submitter can bypass Contact Form 7’s filename sanitization, and upload a file which can be executed as a script file on the host server.”

Filename sanitization works by banning certain file names, allowing only a restricted list of file names. In the case of Contact Form 7, there was an issue in the filename sanitization which created the situation where certain kinds of dangerous files were allowed.

The vulnerability has been fixed in Contact Form 7 Version 7.5.3.2 and we urge website owners to upgrade as soon as possible. Our team are patching any affected client sites with a Care Plan currenty.

Sources:

Contact Form 7
https://contactform7.com/2020/12/17/contact-form-7-532/
Contact Form 7 Changelog

Astra Security
Unrestricted File Upload Vulnerability found in Contact Form 7

Want FREE Support?

Book your FREE 30m consultation call where we can look at what you need with your website or AI & Automation – and leave with actionable advice. 

Book your session

Need Help Now?

Need help straight away?  Talk to our customer ServiceDesk and our engineers will help – whether you are a Care Plan customer or not. 

Customer ServiceDesk

Website Management £1/day

Our Website Care Plans provide peace of mind your business website is in safe hands, from just £1/day 

Care Plans

Latest

"Communication is clear and easy to follow for all, even without a technical background."

Jo Gavin, General Manager
Ascot United

"From the offset Craig and his team were highly communicative, very responsive, and took our ideas and change requests into account without any hassle"

Dan Hayward, Managing Director
Atmosphere IT

"What can I can say, except where have you been all my life!"

Dan Lee, Operations Director
Monster-Shop

"Dealing with the people of GorillaHub has always been pleasant, and they have always been helpful."

Jai Patel, Director
JB Foods

"The ongoing support from the team has been invaluable"

Annelize Alfredo, Head of Centre
The Sheila Ferrari Dyslexia Centre

"I felt valued & supported throughout the entire process"

Jo Follows-Smith,
The Word Woman

"I am not very tech savvy but they were able to walk me through the whole process"

Jon Brooker, Founder
ProDrummer

"Superb! From start to finish the guys keep me updated daily and changes and feedback were always a key part in the strategy"

David Burton, CEO
Total Market Solutions

"Whenever I’ve requested changes however small or large, the work has been carried out efficiently and professionally"

Geoff Allen, Owner
Travallen Travel

"I am so happy I chose GorillaHub for our website build and look forward to growing the website with them over the coming years"

Joe Tickner, Business Development Manager
Ascot Promotions

Customer Feedback