Six days ago I was helping a family member with a WordPress site that had been infected with malware.
I found that the website has been injected with thousands of .htaccess files which were written to redirect the website to a spam website. After the clean-up, I updated the plugins to their latest versions but had trouble updating Contact Form 7 - arguably the most widely used WordPress plugin in the WordPress directory. This lead me to believe that perhaps the Contact Form 7 plugin had been modified by the attacker. I took to the web to look for any news of a vulnerability and there was nothing to be found.
I decided to import the form data into a fresh installation of the plugin, and everything was working fine.
Fast-forward a day, and my newsfeed was full of news about a Contact Form 7 vulnerability that allowed attackers to bypass the plugin's file sanitisation process. By exploiting the vulnerability, attackers were able to upload an executable file to the server via any form on the site that contained a file-upload field.
Contact Form 7 is listed as having 5M+ installations but the folks at Wordfence estimate that the real number is likely to be 10M+.
Thankfully, the team at Astra worked with the developers of Contact Form 7 and a patched version of the plugin was released within a day.
The Contact Form 7 vulnerability is fixed in Contact Form 7 version 5.3.2. If you do not use the file-upload functionality in Contact Form 7, you are safe from this particular issue, but you should upgrade to keep your website as safe as possible.
If a website you manage or own uses Contact Form 7, you should update the plugin to the latest available version. All versions prior to 5.3.2 should be considered vulnerable to attack.
If you need any help updating the plugin or think your site may have been compromised, I'd be happy to help.