A vulnerability advisory was issued for a WordPress Contact Kind 7 add-on plugin that allows unauthenticated attackers to “simply” launch a distant code execution. The vulnerability is rated excessive (8.8/10) on the CVSS menace severity scale.
Screenshot from Wordfence advisory exhibiting 8.8 CVSS severity rankingRedirection for Contact Kind 7 plugin
The vulnerability impacts the Redirection for Contact Kind 7 WordPress plugin, which is put in on over 300,000 web sites. The plugin extends the performance of the favored Contact Kind 7 plugin. It allows an internet site writer not solely to redirect a consumer to a different web page but additionally to retailer the data in a database, ship e-mail notifications, and block spammy kind submissions.
The vulnerability arises in a plugin operate. WordPress capabilities are PHP code snippets that present particular functionalities. The particular operate that comprises the flaw is named the delete_associated_files operate. That operate comprises an inadequate file path validation flaw, which suggests it doesn’t validate what a consumer can enter into the operate that deletes recordsdata. This flaw allows an attacker to specify a path to a file to be deleted.
Thus, an attacker can specify a path (akin to ../../wp-config.php) and delete a essential file like wp-config.php, clearing the way in which for a distant code execution (RCE) assault. An RCE assault is a sort of exploit that allows an attacker to execute malicious code remotely (from anyplace on the Web) and achieve management of the web site.
The Wordfence advisory explains:
“This makes it attainable for unauthenticated attackers to delete arbitrary recordsdata on the server, which may simply result in distant code execution when the correct file is deleted (akin to wp-config.php).”
The vulnerability impacts all variations of the plugin as much as and together with model 3.2.4. Customers of the affected plugin are suggested to replace the plugin to the newest model.
Featured Picture by Shutterstock/Everyonephoto Studio
