WordPress Contact Form 7 Plugin Exploit – Remote File Upload

⭐️Contact Form 7 Exploit

contact 7 exploit wordpress

Lets come straight to the important point – Those using the Contact Form 7 plugin are advised to update to 5.8 or 5.9 (see latest wordpress security update version) as soonas possible for added security. In this article, We’ll explain more about contact-form 7 exploit [cve-2020-35489] and way to fix the Contact Form 7 security bypass and privilege escalation vulnerability in WordPress.

Reports on vulnerabilities in WordPress plugins have become a daily occurrence and, although most of these flaws are detected early, this is not the only key factor to avoid their exploitation that might lead to wordpress site hacking.

The patched version was released early today, Wednesday, December 17, 2020. If your site is one of the many sites using Contact Form 7, we strongly recommend that you update to version 5.3.2 as soon as possible.

A cybersecurity firm reported the finding of a new flaw in Contact Form 7, a popular plugin for creating multiple forms. If exploited, this vulnerability would allow threat actors to escalate privileges on the vulnerable site. 

Key Points – WordPress contact-form-7 exploit

  1. Vulnerability Overview:
    • Type: Unrestricted File Upload.
    • Affected Version: Contact Form 7 versions 5.3.1 and earlier.
    • Patched Version: 5.3.2.
  2. Exploit Mechanics:
    • Attackers exploit file upload vulnerabilities, bypassing file format restrictions.
    • Executable files can be uploaded, leading to potential site takeover.
  3. Risks:
    • Full site control by attackers.
    • Defacement and data theft.
    • Increased risk of malware injection.
  4. Mitigation:
    • Immediate update to version 5.3.2.
    • Regular security scans and best practices for WordPress security.
  5. CVE-2020-35489:
    • Identified as a critical vulnerability with a CVSS score of 10.0.


A hacker who successfully exploited the vulnerability could perform various malicious activities, such as modifying content, redirecting visitors to unknown sites, stealing information, and could even take full control of the target site and block access to the legitimate administrator.

As if that weren’t enough, Google could detect this anomalous behavior and arbitrarily block the site, complicating the recovery process.

Contact Form 7 is a popular plugin active on more than 5 million WordPress sites that was updated yesterday to version 5.3.2. This update includes a patch that addresses a severe vulnerability, such as Unrestricted File Upload, which would allow an attacker to perform various malicious actions, including taking control of a site or the entire server hosting the site. Over the years, it has been revealed to have several major security flaws. Unsurprisingly, these vulnerabilities have caused many sites to be hacked

This popular WordPress plugin is used to add contact forms on a site and manage the contacts that users leave after completing the form.

⭐️Contact Form 7 Plugin Vulnerability In WordPress

Contact Form 7 content is stored in a folder called wp-content on every WordPress site; This folder contains data related to the content of the site but does not store confidential information. According to cybersecurity specialists, if a hacker manages to access files outside of this folder, the targeted user faces multiple security problems due to the confidential nature of their content.

The Contact Form 7 vulnerability allows hackers to inject malware in WordPress conten-uploads directory/folder; specifically the /wp-content/uploads/wpcf7_uploads/ folder. Once the file is uploaded, the hackers can then take over control of the entire website.

Therefore it is important to scan your wordpress site using a malware scanner and then a clean it to remove malware from wordpress website

Only site administrators are supposed to be able to modify the content of forms created with Contact Form 7, a feature controlled by a parameter called capability_type, which defines user permissions. A security flaw in this parameter allows any user, regardless of their privilege level, to make changes to the forms.

A second attack scenario can be triggered by modifying the type of files accepted in a Contact Form 7 form. Some forms ask users to upload files in various formats (PDF, JPG, GIF, among others); By exploiting the vulnerability, a threat actor could alter the plugin configuration to be able to upload executables (PHP, ASP and others) to the target site and deploy other attack variants, cybersecurity specialists mention.

The report was sent to the plugin developers, who fixed the bug with the release of version 5.0.4. The International Institute for Cyber ​​Security (IICS) strongly advises administrators of vulnerable deployments to update to the latest version as soon as possible.

The vulnerability, classified as CVE-2020-35489, affects version 5.3.1 and earlier of the plugin. In fact, it is estimated that around 70% of active Contact Form 7 users are exposed to this flaw.

Contact Form 7 plugin 5.3.2 for WordPress

CVSS v3.1 Severity and Metrics:

Base Score: 10.0 CRITICAL
Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Impact Score: 6.0
Exploitability Score: 3.9

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Changed
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Those responsible for the finding were researchers from the cybersecurity firm, who reported the bug to the plugin developers who quickly corrected the vulnerability with the update to version 5.3.2.

The vulnerability allows Contact Form to bypass any file format restrictions and allow an attacker to upload a malicious executable on a site that has file upload enabled and runs an outdated version of the plugin. This would allow the attacker to perform various actions, such as injecting a malicious script into a site, taking control of it, or performing defacement.

Update WordPress Contact Form 7 Plugin Immediately

Contact form has been published 7 5.3.2. This is an urgent maintenance and security release. We strongly recommend that you update it immediately.

We were able to use a double extension plus a Unicode character to pass a single security check, the wpcf7_antiscript_file_name.

This feature was only one of many security measures in place for the download process, and bypassing it did not allow downloading files with extensions that would work on any of our test setups.

CVE-2020-35489: Unrestricted File Upload Vulnerability

CVE-2020-35489 - Unrestricted File Upload Vulnerability

An unrestricted file upload vulnerability has been found in Contact Form 7 5.3.1 and earlier versions. Using this vulnerability, a forms submitter can bypass Contact Form 7 file name sensitization and upload a file that can be run as a script file on the host server. 

The CVE-2020-35489 vulnerability allows you to bypass any file format restrictions. Therefore, an attacker can upload a malicious file, such as a script, take control of the web page, or perform a defacement.

It is recommended that all websites that have this plugin installed the updated version, in order to protect them from cybercriminals.

This is further proof that the professional maintenance of websites is important, in addition to the fact that relevant cybersecurity processes must prevail, from awareness-raising and pentesting to training organizations.

Site owners or administrators using this plugin are advised to install the latest update wordpress contact form 7 plugin as soon as possible.

Contact Form 7 alternatives

In terms of security There are several secure alternatives to Contact Form 7. like

See Our Related Posts:

contact-form 7 plugin – File upload vulnerability – FAQS

How can I secure my WordPress site from file upload vulnerabilities?

  • Regularly update plugins and themes, limit file upload types, and use security plugins to scan for vulnerabilities. Implement file validation and monitoring.

What are common signs of a WordPress site being compromised?

  • Unusual site behavior, new unknown files, unexpected changes, slow performance, and warnings from security plugins.

How do I restore my WordPress site after a hack?

  • Remove malicious code, restore from a clean backup, update all software, change passwords, and strengthen security settings.

What security plugins are recommended for WordPress?

  • Popular options include Wordfence, Sucuri, iThemes Security, and All In One WP Security & Firewall.

Why is it important to keep WordPress plugins updated?

  • Updates patch security vulnerabilities, improve functionality, and ensure compatibility with the latest WordPress version. Regular updates reduce the risk of exploits.
24/7 WP Security & Malware Removal
Is your site hacked or infected with malware? Let us get it fixed for you
Secure My Website(s)