Login

Tag Archives: Contact Form 7

1 Dec 2023

Latest Release of Contact Form 7 Didn’t Actually Fix Authenticated (Editor+) Arbitrary File Upload Vulnerability

Recently, the WordPress security provider Wordfence was criticizing another provider, Patchstack, for incentivizing low quality claims of vulnerabilities in WordPress plugins:

There are an extremely high number of low risk and low quality vulnerabilities being submitted to databases like Patchstack,” he said. “Vulnerabilities that involve a Cross-Site Request Forgery are an example of this. The incentives we are seeing out there encourage researchers to generate a a high volume of low risk vulnerabilities to get rewarded. These high numbers are then used to market security products.” [Read more]

14 Mar 2023

Wordfence’s Solution to Their Firewall Incorrectly Blocking Legitimate Request is to Disable Needed Protection

In our testing, the most popular security-only WordPress security plugin Wordfence Security fails to provide as much protection as other much less popular security plugins. Making the situation worse is that it introduces a significant performance penalty over security plugins that provide better protection. There is another problem with the plugin we have been running across instances of for years. Its firewall incorrectly blocks legitimate requests in situations where there doesn’t appear to be any reason it should have blocked the request.

Recently someone posted on the plugin’s support forum complaining that the firewall was blocking contact form submissions from the 5+ million install plugin Contact Form 7. They stated that what was causing it was the input containing the word “Data”. That seems odd. A Wordfence employee asked for a screenshot of the log information for the block and the poster replied with a screenshot that showed a request being blocked. [Read more]

25 Mar 2022

Not Really a WordPress Plugin Vulnerability, Week of March 25

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Arbitrary File Deletion via Zip Slip (Authenticated) in iQ Block Country

A claimed arbitrary file deletion via Zip slip (authenticated) vulnerability in iQ Block Country is described this way: [Read more]

21 Feb 2020

Not Really a WordPress Plugin Vulnerability, Week of February 21

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Remote File Upload in Contact Form 7

A claimed remote file upload vulnerability in the plugin in Contact Form 7 is good example of the fact that appearance of credible vulnerability report can be false. While the report has a proof of concept for the claimed issue, which would seem to indicate that the reporter had tested it out, they clearly didn’t. That proof of concept has a request sent directly to a file in the plugin /modules/file.php, but if you sent a request to that file it will cause a fatal error when the first line of code in the file runs: [Read more]

14 Sep 2018

Astra Falsely Claims That Minor Vulnerabilities in Contact Form 7 Lead To Websites Being Hacked

If you are looking for information on vulnerabilities in WordPress plugins a common suggestion is to do a search for them, like this recent one from a moderator from the WordPress Support Forum:

Do a search for any known vulnerabilities in the plugin. If any exist for old plugins, they should be well known by now. [Read more]

10 Sep 2018

Vulnerability Details: Authenticated Arbitrary File Viewing Vulnerability in Contact Form 7

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

[Read more]

9 Oct 2017

Google Not Always Providing Really Relevant Results When Searching For WordPress Plugin Vulnerabilities

In looking at recent traffic from Google coming to our website by way of the Search Analytics portion of Google’s Search Console we noticed that for three of the top five sources of clicks to our website relate to something we don’t have any really relevant content for. The queries all relate to the plugin Contact Form 7:

  • contact form 7 vulnerability
  • contact-form-7 exploit
  • contact form 7 exploit

We don’t have any posts that relate to vulnerabilities in that plugin, the closest that we come to that are some posts about vulnerabilities in software that works with it, which have “Contact Form 7” in their name. In looking at the results for the above queries, the pages from our website do it fact relate to one of those plugins: [Read more]