A vulnerability advisory was issued for a WordPress Contact Form 7 add-on plugin that enables unauthenticated attackers to “easily” launch a remote code execution. The vulnerability is rated high (8.8/10) on the CVSS threat severity scale.
Screenshot from Wordfence advisory showing 8.8 CVSS severity ratingRedirection for Contact Form 7 plugin
The vulnerability affects the Redirection for Contact Form 7 WordPress plugin, which is installed on over 300,000 websites. The plugin extends the functionality of the popular Contact Form 7 plugin. It enables a website publisher not only to redirect a user to another page but also to store the information in a database, send email notifications, and block spammy form submissions.
The vulnerability arises in a plugin function. WordPress functions are PHP code snippets that provide specific functionalities. The specific function that contains the flaw is called the delete_associated_files function. That function contains an insufficient file path validation flaw, which means it does not validate what a user can input into the function that deletes files. This flaw enables an attacker to specify a path to a file to be deleted.
Thus, an attacker can specify a path (such as ../../wp-config.php) and delete a critical file like wp-config.php, clearing the way for a remote code execution (RCE) attack. An RCE attack is a type of exploit that enables an attacker to execute malicious code remotely (from anywhere on the Internet) and gain control of the website.
The Wordfence advisory explains:
“This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).”
The vulnerability affects all versions of the plugin up to and including version 3.2.4. Users of the affected plugin are advised to update the plugin to the latest version.
Featured Image by Shutterstock/Everyonephoto Studio
