Contact Form 7 (5.3.1 & below) Vulnerable To Unrestricted File Upload

Contact Form 7 (5.3.1 & below) Vulnerable To Unrestricted File Upload

Dec 17, 2020

Before you start reading the description, please log in to your WordPress Admin panel & update all the plugins.

Contact Form 7 version 5.3.1 and below were found to be vulnerable to unrestricted file upload vulnerability.

This issue has been reported by security researchers at Astra Security.

By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed uploadable file types on a website.

Contact Form 7 has released a fix on December 17, 2020, with version 5.3.2.

About Contact Form 7
Contact Form 7 is one of the most popular WordPress plugins that allows its users to add multiple contact forms on their site. The plugin currently has over 5 million active installations. So, any vulnerability in this plugin puts millions of websites at risk of being compromised.

Useful links -

An official update from Contact Form 7 team
https://contactform7.com/2020/12/17/contact-form-7-532/#more-38314

Detailed description of the issue - https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload-vulnerability/
Astra's WordPress Firewall to secure your site from Zero day exploits & vulnerabilities - https://www.getastra.com/wordpress-firewall