The wordpress contact form 7 CF7 has reported a privilege escalation vulnerability in Contact Form 7 5.0.3 and older versions, more information can be found on their website.
Exploiting this Vulnerability
Utilizing this vulnerability, a logged-in user in the Contributor role can potentially edit contact forms, which only Administrator and Editor-role users are allowed to access by default. This issue has been reported by Simon Scannell from RIPS Technologies.
This vulnerability can be escalated to an LFI Attack, where an attacker can include a shell scrip like the c9Shell and exploit your Web Server in Numerous ways.
Hacker gains access to a webserver
Fixing This Vulnerability
- Update your version of Contact Form 7 to the Latest Version
- The Updated versions of Contact Form 7 5.0.4 and higher will restrict the local file attachment feature. More particularly, you will no longer be able to specify an absolute file path that refers to a file placed outside the wp-content directory.
- Upload Local File Attachments inside the wp-content directory using the wp-media uploader, and specify its URL with relative or absolute file paths, so all you need to change is the location of the attachment files.
Requires: WordPress 4.8 or higher
Tested up to: WordPress 4.9.8
Hello there,
My name is Aly and I would like to know if you would have any interest to have your website here at tecmie.com promoted as a resource on our blog alychidesign.com ?
We are in the midst of updating our broken link resources to include current and up to date resources for our readers. Our resource links are manually approved allowing us to mark a link as a do-follow link as well
.
If you may be interested please in being included as a resource on our blog, please let me know.
Thanks,
Aly