Last Updated:

Vulnerability in the WordPress add-on Contact Form 7, which has 5 million installations

The WordPress add-on Contact Form 7 5.3.2, which has more than 5 million active installations, fixed a vulnerability (CVE-2020-35489) that allows you to organize the execution of PHP code on the server.

The Contact Form 7 add-on is designed to add custom user feedback forms to websites. The vulnerability manifests itself when you enable the function of sending files in forms (for example, when attaching an image) and allows you to upload files with any extensions to the server in addition to explicitly allowed file types.

To bypass the check for the validity of the downloaded file, it is enough to specify a separator character in the file name, separating the valid extension with it. For example, when transferring a file named "test. php\t. png", the extension will assume that the image is in PNG format, but the file will be saved to disk test.php, which can then be called through a direct access to the site, if the web server settings do not explicitly prohibit the execution of scripts in the directory with the downloaded data.

The problem is solved by removing delimiter characters and control characters from the names of uploaded files. The practical possibility of exploiting the vulnerability in typical configurations is estimated as low, since by default Contact Form 7 for servers with Apache httpd creates in the directory with downloads .htaccess, which prohibits direct access to downloaded files ("Deny from all").