This just in: Contact-Form-7 (WordPress) Vulnerability – 5 million websites at risk – CVE-2020-35489

A vulnerability has been discovered in Contact Form 7 that allows an attacker to upload malicious scripts. The publishers of Contact Form 7 have released an update to fix the vulnerability.

Unrestricted File Upload Vulnerability…

Noooo, I’m not going to steal/copy/plagiarize this article, just read the article on CVE 2020 35489 on searchenginejournal.com.

But I do have something to add.

First, “Unrestricted File Upload Vulnerability”… Well, that seems a bit overstated. When you have a contact-form that allows file uploads, of course it should be unrestricted. But perhaps the restriction should be on what kind of files… and that is exactly so :)

WPCF7 has a filter that renames files with executable extension to ._txt and with that the file is no longer executable. But the problem goes way way deeper, and frankly, other people can explain it better than I, but it has to do with null-characters in filenames, and how PHP and the webserver handle those.

The article also speaks of shell scripts. I don’t know what kind of hosting they are using, but shell scripts are NEVER executable through a web-request, or they at least never SHOULD be, but then again, maybe in some cases they are.

In any case, better to be safe than sorry, so, let’s check our websites, and oh, my, that is a big number of sites that cannot get a fixed version…

Reason being, WPCF7 has stated a minimum WordPress version of 5.4 but older WordPresses also can use WPCF7 and are still maintained; don’t they get some love and attention?

NO. Sorry. Well, not until right now!

With this single line of code in your theme, in an mu-plugin, your choice, you can get the same fix.

add_filter( 'wpcf7_upload_file_name', function( $filename ) { return preg_replace( '/[\pC\pZ]+/i', '', $filename ); } );

But do note; this only affects WPCF7 5.0.2 and up, so if your version is older, than you are also using a way out of date WordPress and thus you have bigger problems.

Check out the vulnerability details on wpscan.com.

So if you’re worried that your older version of Contact-Form-7 for older versions of WordPress cannot be fixed, now you know how to do it yourself.

Stay safe, not only out there, but also in the web-world ;)

 

Author: Remon Pel

WebDeveloper though not WebDesigner

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.