WordPress plug-in vulnerability (CVE-2020-35489); the patch is now available for download

Astra Security analyst, Jinson Varghese Behanan, discovered vulnerability in the popular Contact Form 7 plug-in, allowing attackers to bypass the plug-ins filename sanitization protections when uploading files.

The attackers upload a crafted file with arbitrary code on the vulnerable server and then execute this file as a script to run code within.

The security analyst found the unrestricted file upload vulnerability (CVE-2020-35489) during they were doing a security audit for a client.

The issue was in the “includes/formatting.php” file within the Contact Form 7 plug-in code. In the vulnerable versions, the plug-in does not remove special characters from the uploaded filename, including the control character and separators.

 The attackers upload a filename containing double-extensions, separated by a non-printable or special character, for example a file called “abc.pjp    .jpg.” (\t) character is the separator in this example. It appears as (*.jpg) in the client-side interface of the plug-in.

When this file is uploaded to the server, the Contact Form 7 will parse the filename up till the first extension but discard the second one due to the separator. Thus, the filename would become “abc.php” that the attackers access through arbitrary code execution to the server.

This week, Contact Form 7 disclosed this vulnerability in the WordPress plug-in and issued a patch. The patch is available in the version 5.3.2 that can be downloaded from WordPress.

Behanan said, “Seeing the criticality of the vulnerability and the number of WordPress websites using this popular plugin, we quickly reported the vulnerability. The developer was even quicker in issuing a fix. Kudos to the Contact Form 7 team for leading by example”.

Users who are using this plug-in are highly advised to install the latest version of the Contact Form 7 plug-in.