Vulnerability in WordPress plugin affects more than 5 million websites

Cybersecurity experts report finding a critical arbitrary file uploading vulnerability in Contact Form 7, a plugin used on millions of WordPress websites. Successful exploitation of this flaw would allow threat actors to take full control of the sites on which the plugin runs. The vulnerability was fixed through the release of the update to Contact Form 7 version 5.3.2.

This tool is present on more than 5 million websites, and experts estimate that most of these run non-updated versions of the plugin. The flaw, identified as CVE-2020-35489, is an unrestricted file upload error, according to an Astra Security Research report.

Takayuki Miyoshi, developer of Contact Form 7, received the report and immediately began working on a correction: “We adhered to the recommended protocols in these cases; the update that fixes this vulnerability has already been released,” the report says.

Jinson Varghese, a researcher who discovered the error, claims that the vulnerability would allow unauthenticated threat actors to bypass security mechanisms in the form loading process in Contact Form 7, allowing them to load an executable binary on sites that use version 5.3.1 or earlier. Subsequently hackers can deploy all kinds of malicious activities, including modifying the target website, redirecting visitors to third-party websites and even deploying phishing campaigns.

The researcher highlighted how easily a threat actor could have exploited the vulnerability remotely: “For users who have the option to update plugins automatically, they should not take additional actions; other users will need to update manually,” concludes the report.