Background of the Vulnerability

This morning a critical Unrestricted File Upload vulnerability was disclosed for the WordPress Contact Form 7 plugin.  This is one of the most popular wordpress plugins in use, with over 5 million active installs.  That is because it’s extremely easy to use for setting up a basic contact form.

Unfortunately a vulnerability in the plugin can allow the upload of executable PHP code in some configurations.   While the standard CanTrust Hosting security configuration should prevent this from happening, and only forms accepting file uploads should be vulnerable, neither of those assumptions is foolproof in all cases.

Emergency Hot-Fix applied

Because Contact Form 7 was in use on more than 50% of the WordPress sites that we host, we decided to perform an emergency hot-fix to all installations of contact-form-7 on all the sites hosted with us.

This will ensure that everyone is safe and has time to update their plugin properly.   We applied this hot-fix on December 17th, 2020 between 2PM and 4PM pacific time and it was a one line addition to the file includes/formatting.php, as per this commit in Git.

 

Customer Impact

For most customers, you will not notice that we have done this, and when you run your plugin updates normally our change will be overwritten with the new version.

If you deploy using Git or another source control method:

Then you may find our patch as an uncommitted change to the file wp-content/plugins/contact-form-7/includes/formatting.php .  You can safely revert this change in order to pull a new version of the repo, but keep in mind that will open you up to the vulnerability again, so be sure to put the upgraded version in place right away.

 

Followup

There is no immediate follow-up required, though customers should install the new version of the Contact Form 7 plugin, along with their regular cycle of security updates.

We will be reaching out directly to customer developers to confirm specific fixes.  We apologize for any inconvenience this patch may have caused, but we hope the extraordinary need is evident.

 

More information

please see the following resources:

https://www.bleepingcomputer.com/news/security/wordpress-plugin-with-5-million-installs-has-a-critical-vulnerability/

https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload-vulnerability/

https://wpscan.com/vulnerability/10508