One of the most popular WordPress plugin Contact Form 7 have found an unrestricted file upload vulnerability in version 5.3.1 or lower. They have also released a security patch for a fix. Click here for details.
The feature of having users to be able to upload files as part of form submission is one of the important functional aspect of the plugin. Seems like, an attacker could potentially bypass some of Contact Form 7’s filename sanitization protections when uploading files by adding control characters or invisible separators in the earlier versions of CF7.
If you are using Contact Form 7 without the file upload addon, your site is safe and not vulnerable to attackers looking to take advantage of this vulnerability. However, we still recommend an immediate update to ensure your site is protected.
The patched version has been released on December 17, 2020. If you are using Contact Form 7 for your form submissions, we strongly recommend to update CF7 to version 5.3.2 as soon as possible.
While this vulnerability is unlikely to be easily exploitable, due to the commonness of sites using Contact Form 7, attackers may still end up targeting this vulnerability.
Talk to us if you have further questions about this vulnerability.
