Unrestricted File Upload Vulnerability found in Contact Form 7


On the 16th of December, Astra Security Research, a private web application security & solutions company based in U.S. and India, discovered an unrestricted file upload vulnerability in Contact Form 7, a widely-used plugin for WordPress.

What is Unrestricted File Upload Vulnerability?

Unrestricted file upload refers to when an application allows an attacker to upload malicious files or malware automatically into a user’s system or interface without them knowing. These are called “Unrestricted File Upload” because the user has no restriction or control over the malware uploaded. Vulnerability of an unrestricted file being uploaded refers to the expected possibility of your application being compromised. The increase in vulnerability of your application also translated to an increase in the possibility of unrestricted files being uploaded on your system or interface.

Where was Unrestricted File Upload Vulnerability Found?

According to the Astra Security Research team, led by Jinson Varghese, the unrestricted file vulnerability was found in the WordPress plugin Contact Form 7 version 5.3.1, including the older versions as well. The Contact Form 7 is one of the most commonly used WordPress plugins. It has over five million installations that were active at the moment this vulnerability was reported. Contact Form 7 allows the users to add multiple contact forums to their website.

Unrestricted file upload vulnerability of such a popular plugin made it easy for any attackers to exploit this and upload any types of files without any restrictions. It also allows the attackers to insert any malware into other Forms or plugins and makes them also vulnerable to attacks.

The Overall Collateral Damage of Contact Form 7

Since at the time of discovery, Contact Form 7 had over five million active installations, it was instantly assumed that all five million of these websites were affected as well as the other installations that were inactive. Not only this, but since attackers were allowed to insert malware into other plugins as well, millions of other websites were also at risk.

New Update to Prevent More Damage

It was reported that as soon as the Unrestricted File Upload Vulnerability was found, the Astra Security Research team got ahold of the Contact Form 7 plugin developers through a support forum. When the plugin developers agreed on communicating with the research team directly, the full details of the research were disclosed. On the same day, an update was launched in the Contact Form 7 and the new version was vulnerability free. Astra also commended Takayuki Miyoshi publicly, for his quick response and sincerity towards the security of the plugin users.


All this took place in a matter of two days, according to the blog published on the Astra website. Here is the disclosed timeline which underlines the entire process;

  • December 16th, 2020; Astra Security Research team discovers the Unrestricted File Upload Vulnerability.
  • December 16th, 2020; Astra’s team tries to get in contact with the WordPress plugin developers.
  • December 16th, 2020; Astra’s team receives an acknowledgment from the plugin developers.
  • December 17th, 2020; Astra’s team sends over the full vulnerability disclosure details to the developers team of Contact Form 7.
  • December 17th, 2020; The plugin developers fix up the vulnerability and an initial insufficient patch update is released.

How could this have Impacted the Net Sphere?

Due to the popularity of Contact Form 7, this vulnerability could have been detrimental to countless businesses as well as passion projects. According to a survey published by Netcraft, over 455,000,000 websites are using WordPress and most of the WordPress websites are fully functioning online businesses. Considering all this in mind, a quickly resolved vulnerability in over five million is a small price to pay for the secure future of over 455 million other active websites.


Suggestion for Protection Against Future Threats

It has been suggested by security experts that it would be wise for all WordPress users to update their Contact Form 7 to the latest version 5.3.2. However, it is also recommended that certain security measures be taken by the users themselves. There are certain security guides you can follow and some hacks you can apply for the removal of malware and future protection of your website. The worldwide web sphere has provided a great opportunity for businesses to grow and prosper, however it is not without threats, so certain initiatives must be taken to prevent malicious attacks in cyberspace.




Leave a comment

Your email address will not be published. Required fields are marked *