The developers of the popular Contact Form 7 WordPress plugin, which is installed on more than 5,000,000 sites, have released a fix for a critical vulnerability.
The problem allowed attackers to trick the security mechanisms responsible for clearing filenames on boot. As a result, hackers were able to upload a malicious file with arbitrary code to a vulnerable server and then run it as a script to execute the code hidden inside.
The bug was discovered by Astra Security specialists during an audit they conducted for one of their clients. The vulnerability was fixed in version 7 5.3.2, and now the developers strongly recommend that all site administrators update the plugin as soon as possible.
The journalists Bleeping Computer explain that the bug arises from the includes / formatting.php file that is part of the Contact Form 7. The affected versions of the plugin did not remove the special characters from the downloaded files, including the escape character and separator. Because of this, the attacker was able to upload a file with a double extension to the server, for example, “abc.php .jpg”.
In this example, the delimiter between the extensions is the tab character (\ t), and for the plug-in client interface, such a file will look like a regular image in .jpg format. However, when uploaded to the server, Contact Form 7 will parse the file name, discard the unnecessary extension, and the abc.php file, that is, a PHP script, will be sent to the server, which can then be accessed by an attacker (to execute arbitrary code).