Aligning to industry best practices and standards of providing the best services to you, we publish security advisories that are designed to provide timely information to all our esteemed customers.
WordPress Plugin Contact Form 7 is prone to a vulnerability that attackers can upload arbitrary files because the application fails to properly sanitize user-supplied input.
An unrestricted file upload vulnerability has been found in Contact Form-7 5.3.1 and older versions. Utilizing this vulnerability, a form submitter can bypass Contact Form 7’s filename sanitization, and upload a file that can be executed as a script file on the host server.
- An attacker can upload a web shell and inject malicious scripts.
- An attacker can execute arbitrary code and completely take over the website.
- An attacker can compromise the web server also.
- An attacker can put a phishing page into the website and deface the website.
Contact Form 7 – 5.3.1 and older versions
Note: Sites having Contact Form 7 installed without the file upload functionality are not vulnerable.
How to Protect Yourself:
Update to plugin version 5.3.2 or the latest.
If you have Bitninja installed on your servers, enable your WAF 2.0 module on the dashboard, sit back, and enjoy the ultimate server security protection.
If you haven’t installed BitNinja in your E2E Servers, You can install it in the running nodes, Please refer to the link for the steps.
More about BitNinja
How to resolve this Contact Form 7 vulnerability:
- Take a complete backup before upgrading the plugin, You can take a local backup or you can opt for E2E CDP Backup more details here or you can push your code and DB to E2E Object Storage more details here
- Plugin Upgrade -> https://blog.wpsec.com/contact-form-7-vulnerability/
We at E2E Networks always encourage our customers to pursue the best practices of security to keep their systems updated, protected, and patched against recognized vulnerabilities.
If you have any queries regarding the patching/updates on E2E Networks infrastructure, you may write an email to firstname.lastname@example.org.