Anthony Keal
Available for contracted work
Get in Touch

Serious Contact Form 7 vulnerability affects 5M+ websites.

Written by Anthony Keal on December 21, 2020
1 min read (252 words)

Six days ago I was helping a family member with a WordPress site that had been infected with malware.

I found that the website has been injected with thousands of .htaccess files which were written to redirect the website to a spam website. After the clean-up, I updated the plugins to their latest versions but had trouble updating Contact Form 7 - arguably the most widely used WordPress plugin in the WordPress directory. This lead me to believe that perhaps the Contact Form 7 plugin had been modified by the attacker. I took to the web to look for any news of a vulnerability and there was nothing to be found.

I decided to import the form data into a fresh installation of the plugin, and everything was working fine.

Fast-forward a day, and my newsfeed was full of news about a Contact Form 7 vulnerability that allowed attackers to bypass the plugin's file sanitisation process. By exploiting the vulnerability, attackers were able to upload an executable file to the server via any form on the site that contained a file-upload field.

Contact Form 7 is listed as having 5M+ installations but the folks at Wordfence estimate that the real number is likely to be 10M+.

Contact Form 7 Vulnerability

Thankfully, the team at Astra worked with the developers of Contact Form 7 and a patched version of the plugin was released within a day.

The Contact Form 7 vulnerability is fixed in Contact Form 7 version 5.3.2. If you do not use the file-upload functionality in Contact Form 7, you are safe from this particular issue, but you should upgrade to keep your website as safe as possible.

It's safe to assume that with the sheer popularity of this plugin, the vulnerability will be a honeypot for potential attackers. Especially as more specific information is released in the coming weeks about the specific nature of the flaw.

If a website you manage or own uses Contact Form 7, you should update the plugin to the latest available version. All versions prior to 5.3.2 should be considered vulnerable to attack.

If you need any help updating the plugin or think your site may have been compromised, I'd be happy to help.

Anthony Keal is a Senior Digital Producer based in Melbourne, Australia. He is also a Digital Designer and has skills in Front-end development, Marketing, Digital Strategy, and Search Engine Marketing.

Leave a Reply

Your email address will not be published. Required fields are marked *