A patch for the favored WordPress plugin called Contact Form 7 was released Thursday. It fixes a critical bug that permits an unauthenticated adversary to takeover a website running the plugin. Or possibly hijack the whole server hosting the site. The patch comes within the sort of a 5.3.2 version update to the Contact Form 7 plugin.
The Contact Form 7 plugin is active on more than 5 million websites. And a majority of sites (70%) are running the 5.3.1 version or older of the plugin.
In addition, the critical vulnerability (CVE-2020-35489) is assessed as an unrestricted file upload bug. Consistent with Astra Security Research, which found the flaw on Wednesday.
The developer of the plugin (Takayuki Miyoshi) was quick to correct the vulnerability and realised its critical nature. We communicated back and forth in order to prevent any exploitation, trying to release the update as soon as possible. The update already released for fixing the issue, according to Astra, in version 5.3.2.
Jinson Varghese, the bug hunter credited for identifying the flaw, wrote that the vulnerability allows an unauthenticated user to bypass. Any Contact Form 7 file-type restrictions. And upload an executable binary to a site running version 5.3.1 or earlier of the plugin.
Moreover, the adversary can do variety of malicious things, like deface the web site or redirect visitors to a third-party website in plan to con visitors into delivering financial and private information.
In addition to taking up the targeted website, an attacker could also commandeer the server hosting the location. If there’s no containerization wont to segregate the web site on the server hosting the WordPress instance, consistent with researchers.
Easy to take advantage of
“It can easily exploit and the attacker would not have to authenticate himself and the attack can be carried out remotely,” said Naman Rastogi. Astra’s digital marketer and growth hacker, in a Threatpost email interview.
Contact form 7 has patched with an update, he said. “For users who have automatic updates on for WordPress plugin the software will automatically update. For others, they indeed will required to proactively update,” he told.
Moreover, to keep perspective on the bug, web analytics firm Netcraft estimates there are 455 million websites using the WordPress platform currently. That means 1.09 percent of WordPress sites might be susceptible to attack via this flaw.
You may also like: