Geeks for your information
5M WordPress Sites Running ‘Contact Form 7’ Plugin Open to Attack - Printable Version

+- Geeks for your information (https://www.geeks.fyi)
+-- Forum: News (https://www.geeks.fyi/forumdisplay.php?fid=105)
+--- Forum: Privacy & Security News (https://www.geeks.fyi/forumdisplay.php?fid=107)
+--- Thread: 5M WordPress Sites Running ‘Contact Form 7’ Plugin Open to Attack (/showthread.php?tid=13820)



5M WordPress Sites Running ‘Contact Form 7’ Plugin Open to Attack - silversurfer - 18 December 20

Quote:A patch for the popular WordPress plugin called Contact Form 7 was released Thursday. It fixes a critical bug that allows an unauthenticated adversary to takeover a website running the plugin or possibly hijack the entire server hosting the site. The patch comes in the form of a 5.3.2 version update to the Contact Form 7 plugin.
 
The WordPress utility is active on 5 million websites with a majority of those sites (70 percent) running version 5.3.1 or older of the Contact Form 7 plugin.
 
The critical vulnerability (CVE-2020-35489) is classified as an unrestricted file upload bug, according to Astra Security Research, which found the flaw on Wednesday.

“The plugin developer (Takayuki Miyoshi) was quick to fix the vulnerability, realizing its critical nature. We communicated back and forth trying to release the update as soon as possible to prevent any exploitation. An update fixing the issue has already been released, in version 5.3.2,” according to Astra.
 
The bug hunter credited for identifying the flaw, Jinson Varghese, wrote that the vulnerability allows an unauthenticated user to bypass any form file-type restrictions in Contact Form 7 and upload an executable binary to a site running the plugin version 5.3.1 or earlier.
 
Next, the adversary can do a number of malicious things, such as deface the website or redirect visitors to a third-party website in attempt to con visitors into handing over financial and personal information.
 
In addition to taking over the targeted website, an attacker could also commandeer the server hosting the site if there is no containerization used to segregate the website on the server hosting the WordPress instance, according to researchers.

Read more: https://threatpost.com/contact-form-7-plugin-bug/162383/