A critical file upload vulnerability was disclosed by the developers of a popular WordPress plugin named Contact Form 7 and a patch has been issued. The vulnerable plugin had more than 5 million active installs.
The unrestricted file upload vulnerability (CVE-2020-35489) in the Contact Form 7 plugin can allow an attacker to bypass Contact Form 7’s filename sanitization protections when uploading files.
It is possible for an attacker to upload a crafted file with arbitrary code on the vulnerable server using the plugin.
Then, by exploiting this vulnerability, the file can be executed as a script by the attacker to run the code within.
Contact Form 7 project team stated that they have released an urgent security and maintenance release with Contact Form 7 version 5.3.2 and they recommend all users to update it as early as possible.
Jinson Varghese Behanan, an information security analyst with Astra Security have discovered and reported this vulnerability while he was doing a security audit for a client.
As the vulnerability is critical and due to the vast popularity of the plugin, the researcher quickly reported it and the fix was also issued quickly by the developers.
The issue occurs in the includes/formatting.php file which is part of the Contact Form 7 plugin code.
In the vulnerable versions, the plugin does not remove special characters from the uploaded filename, including the control character and separators.
This could allow an attacker to upload a filename containing double-extensions, separated by a non-printable or special character, such as a file called “abc.php .jpg.” The separator between the two extensions, here, is a tab (\t) character.
This might appear to be an image file (*.jpg) to the client-side interface of Contact Form 7.
When uploaded to the server, Contact Form 7 will likely parse the filename up until the first extension and discard the second one due to a separator.
The new filename would then become “abc.php,” a PHP script, which the attacker can now access, to execute arbitrary code on the server.
The users can download the patched version 5.3.2 of the plugin from WordPress and all users of Contact Form 7 are recommended to apply this update immediately.