Login
16 Jan 2024

Contact Form 7 Extension For Mailchimp Contains Multiple Vulnerabilities

On Friday, the WordPress plugin Contact Form 7 Extension For Mailchimp, one of the 1,000 most popular plugins on the WordPress plugin directory was closed. That plugin has 90,000+ installs. No reason has been given for the closure. There is a recent claim that the plugin contains an unfixed vulnerability, but there is a complete lack of details provided for anyone trying to verify that (no surprise considering the source, Patchstack). In quickly checking over the plugin, we found it contains multiple vulnerabilities caused by a lack of basic security. We would recommend against using the plugin unless a thorough security review has been done and all issues have been fixed.

On Sunday, the developer released a new version, with the changelog reading “Addressed security reports and performed a full security check.” Despite that, none of the issues mentioned below, which we had noticed before that change, have been resolved.

As an example of the basic security issues which lead to the vulnerabilities, take functionality to display logging from the plugin. That functionality is intended to be accessed by users who have access to administer a Contact Form 7 form (who actually has access in the admin interface is yet another security issue). Yet, the AJAX registration for accessing the functionality allows even those not logged in to WordPress to access it:

115
116

add_action('wp_ajax_chimpmatic_logload', 'chimpmatic_logload');
add_action('wp_ajax_no_priv_chimpmatic_logload', 'chimpmatic_logload');

The code called by that, which is in the file /lib/find.php, doesn’t do any additional security checks before outputting the logging:

106
107
108
109
110
111
112
113
114

function chimpmatic_logload() {
 
    global $wpdb;
 
    get_log_array();
 
    wp_die();
 
}
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

function get_log_array() {
 
    $default = array();
    $log = get_option('mce_db_issues_log', $default);
 
    $chimp_log = '';
 
    foreach ($log as $item) {
 
        $chimp_log .= "\n" . '[' . $item['datetxt'] . ' UTC]';
        $chimp_log .= $item ['content'] . "\n";
        $chimp_log .= print_r($item ['object'], true) . "\n\n\n\n";
 
    }
 
    echo $chimp_log;
 
}

So anyone can access that. That is an information disclosure vulnerability.

Other functionality is also made AJAX accessible without needed security checks.

WordPress Causes Full Disclosure

As a protest of the moderators of the WordPress Support Forum’s continued inappropriate behavior we changed from reasonably disclosing to full disclosing vulnerabilities for plugins in the WordPress Plugin Directory in protest, until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. (For plugins that are also in the ClassicPress Plugin Directory, we will follow our reasonable disclosure policy.)

You can notify the developer of this issue on the forum as well.

After four years, the moderators have finally tacitly admitted they were behaving inappropriately and have made moves to fix the problems (though incompletely), so these full disclosures can be ended if they simply restore access to our accounts and plugins in the Plugin Directory. Hopefully that takes less than four years.

Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:

Is It Fixed?

If you are reading this post down the road the best way to find out if this vulnerability or other WordPress plugin vulnerabilities in plugins you use have been fixed is to sign up for our service, since what we uniquely do when it comes to that type of data is to test to see if vulnerabilities have really been fixed. Relying on the developer’s information can lead you astray, as we often find that they believe they have fixed vulnerabilities, but have failed to do that.

Proof of Concept

The following proof of concept will show any logging from the plugin.

Replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin-ajax.php?action=chimpmatic_logload

No related posts.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Need Continued Support for a Closed Plugin?

Does your website depend on a WordPress plugin that is no longer being supported by the original developer? With our Abandoned WordPress Plugin Maintenance Service, we can maintain the plugin for you, so you can safely use the plugin going forward.

Leave a Reply

Your email address will not be published.