Uncovering Potential Issues with the Contact Form 7 Vulnerability: More Data Needed

On December 17, 2020, the Astra research security team disclosed that they had discovered a critical severity Unrestricted File Upload vulnerability in Contact Form 7, the most popular WordPress plugin of all time. The lead researcher, Jinson Varghese, also published a blog post providing limited information about this vulnerability.

The initial disclosure claimed that “By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website.”

At the time, we were unable to duplicate the exploit and published our analysis based on the best information available, which indicated that the vulnerability would be difficult to exploit and would likely require a very specific configuration, but we wanted to wait until a public Proof of Concept was available.

A minimal Proof of Concept submitted to wpvulndb by the original researcher was made available on December 31, 2020. A separate, unverified Proof of Concept appeared on exploit-db on December 20, 2020. On January 10, 2021, the Astra Security team updated their vulnerability announcement stating that a full Proof of Concept would not be released.

None of our threat analysts were able to use these initial Proofs of Concept or any variants thereof to achieve unrestricted file upload, and indeed we had already attempted several variants of each Proof of Concept when the vulnerability was first disclosed because our analysis of the plugin patch indicated that these might be a viable approach.

We were able to use a double extension plus a unicode character to pass a single security check, the wpcf7_antiscript_file_name function, but this function was only one of several security measures in place for the upload process, and bypassing it did not allow the ability to upload files with extensions that would be executable on any of our test configurations. The most recent of these additional security features, the addition of a randomized directory, has been in place for more than 6 years.

We were not able to successfully upload files ending in a “.php” extension, nor were we able to upload files with double extensions (e.g. file.php.jpg, or file.jpg.php, with or without an invisible unicode separator between the two extensions) that would be parsed by any recent web server configuration we have tested, including Apache with a PHP AddHandler or anchored SetHandler directive, Apache + PHP-FPM, NGINX + FastCGI, Litespeed, or IIS. Additionally, we have not seen any evidence of this vulnerability being successfully exploited in the wild.

We contacted the original security researcher requesting more information, but have not heard back at the time of this publication. We also contacted the plugin developer, who indicated that he recognized the bypass in the wpcf7_antiscript_file_name function as a potential vulnerability but had not been supplied with a Proof of Concept that bypassed the other security measures. We reached out to Astra Security who pointed us to their updated blog post indicating that no Proof of Concept would be released and that they had also not seen any evidence that the vulnerability was being exploited in the wild.

Open source security research is incredibly important and makes the entire WordPress ecosystem safer. It is critically important that vulnerable configurations are known; any server configuration that allows this vulnerability to be exploited could allow currently undiscovered vulnerabilities in other plugins to be exploited as well. It is also important to the credibility of our industry that this research be independently verifiable. While we realize that there may be good reasons not to make a Proof of Concept public, providing such a Proof of Concept to other security researchers allows the industry to improve its response to known threats.

For these reasons, we are requesting that the Astra Security research team, or anyone else in the WordPress or Security community who is able to do so, provide us more information about this vulnerability, as we would like to be able to independently duplicate the issue in order to confirm its impact, not only for the millions of users of Contact Form 7, but also for the wider WordPress ecosystem. We are requesting vulnerable server and plugin configurations in which it is possible to upload an executable PHP file via this vulnerability, as well as an unabridged Proof of Concept that allows us to duplicate the issue.

The post Uncovering Potential Issues with the Contact Form 7 Vulnerability: More Data Needed appeared first on Wordfence.

More great articles

Critical Remote Code Execution Vulnerability in Elementor

On March 29, 2022, the Wordfence Threat Intelligence team initiated the disclosure process for a critical vulnerability in the Elementor…

Read Story

Large-Scale Attacks Target Epsilon Framework Themes

On November 17, 2020, our Threat Intelligence team noticed a large-scale wave of attacks against recently reported Function Injection vulnerabilities…

Read Story

Critical SQL Injection Vulnerability Patched in WooCommerce

On July 14, 2021, WooCommerce released an emergency patch for a SQL Injection vulnerability reported by security researcher Thomas DeVoss…

Read Story

Emergency WordPress Help

One of our techs will get back to you within minutes.