The Astra Security Research team discovered a high-severity Unrestricted File Upload vulnerability in the WordPress plugin Contact Form 7 5.3.1 and older versions.

The vulnerable plugin, Contact Form 7, has over 5 million active installs making this urgent upgrade a necessity for WordPress site owners out there.

Buy Me a Coffee

By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website. Further, it allows an attacker to inject malicious content such as web shells into the sites that are using the Contact Form 7 plugin version below 5.3.1 and have file upload enabled on the forms.

If you are using the Contact Form 7 plugin version 5.3.1 and below, it is highly recommended to update this WordPress plugin to its latest version i.e. 5.3.2

READ
‘Disable Admin Notices Individually’ Plugin Exposes 100,000+ Sites to Risk