Contact Form 7 Unrestricted File Upload Vulnerability – How does cPGuard protect your websites?

by | Dec 21, 2020

About the vulnerability

Contact Form 7 is a famous WordPress plugin that helps users to create different contact forms on the website. The plugin has a very big user base and having almost over 5 million active installations. So, any vulnerability to such a popular plugin will cause serious security issues to a big number of websites.

Recently there was a report related to this plugin where some security researchers were able to exploit its vulnerability which allowed them to files of any type, bypassing all restrictions set to allow the type of upload-able file types on a website. Also, it allows web shell injections which create it more dangerous and threatening to the website security.

How cPGuard handles the problem?

Immediately after the vulnerability is announced, our WAF team has started investigating it and released a WAF update to protect our user’s websites from the vulnerability. So far cPGuard WAF has the following set of protections against the particular vulnerability.

  • We have an explicit WAF rule which prevents exploiting the particular vulnerability
  • Our existing WAF rules will prevent uploading PHP files
  • Our existing WAF rules will prevent accessing PHP files from the target location.
  • Our scanner engine can report about the  file uploads/injections 

Do I still need to worry?

Our WAF and scanner engine are powerful enough to block such targeted and generic types of web exploits. Even though cPGuard provides security measures for this problem, we still encourage you to advise your users to upgrade the Contact Form 7 plugin to the latest version, 5.3.2.

If you need any additional details, please  contact our support team.