CVE-2023-6449: New flaw found Contact Form 7 plugin

In the intricate web of WordPress plugins, Contact Form 7 stands out for its versatility and popularity, boasting over 5 million installations. But with great popularity comes great responsibility, and recently, a flaw has been exposed. A vulnerability cataloged as CVE-2023-6449 with a CVSS score of 6.6, has raised concerns about the security of this widely-used plugin.

The vulnerability stems from an issue in the file upload mechanism of the Contact Form 7 plugin, specifically in versions up to and including 5.8.3. The crux of the issue lies in two areas: insufficient file type validation in the ‘validate’ function and inadequate blocklisting in the ‘wpcf7_antiscript_file_name’ function. This oversight opens a gateway for authenticated attackers, particularly those with editor-level access or higher, to upload arbitrary files onto the server hosting the affected site.

While the CVE-2023-6449 vulnerability allows for the uploading of arbitrary files, it’s not too critical. Thanks to the plugin’s .htaccess configuration, remote code execution is generally prevented in most instances. Additionally, by default, uploaded files are immediately deleted from the server. However, complexities arise when other plugins interfere, potentially allowing these files to remain on the server longer than intended. This prolonged presence, when coupled with other vulnerabilities like local file inclusion, could lead to remote code execution, escalating the threat level.

This flaw was found by István Márton, a diligent vulnerability researcher at Wordfence. Recognizing the potential risks, the team behind Contact Form 7 acted swiftly. Their response? An update to version 5.8.4, addresses and patches the vulnerability, fortifying the plugin against such exploits.

This incident underscores a vital lesson for web administrators and WordPress users alike: the importance of staying updated.