Update: The Proof of Concept posted on exploit-db has been removed since the publication of this article. We have updated the link to point to an archived copy.
On December 17, 2020, the Astra research security team disclosed that they had discovered a critical severity Unrestricted File Upload vulnerability in Contact Form 7, the most popular WordPress plugin of all time. The lead researcher, Jinson Varghese, also published a blog post providing limited information about this vulnerability.
The initial disclosure claimed that “By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website.”
At the time, we were unable to duplicate the exploit and published our analysis based on the best information available, which indicated that the vulnerability would be difficult to exploit and would likely require a very specific configuration, but we wanted to wait until a public Proof of Concept was available.
A minimal Proof of Concept submitted to wpvulndb by the original researcher was made available on December 31, 2020. A separate, unverified Proof of Concept appeared on exploit-db on December 20, 2020. On January 10, 2021, the Astra Security team updated their vulnerability announcement stating that a full Proof of Concept would not be released.
None of our threat analysts were able to use these initial Proofs of Concept or any variants thereof to achieve unrestricted file upload, and indeed we had already attempted several variants of each Proof of Concept when the vulnerability was first disclosed because our analysis of the plugin patch indicated that these might be a viable approach.
We were able to use a double extension plus a unicode character to pass a single security check, the
wpcf7_antiscript_file_name function, but this function was only one of several security measures in place for the upload process, and bypassing it did not allow the ability to upload files with extensions that would be executable on any of our test configurations. The most recent of these additional security features, the addition of a randomized directory, has been in place for more than 6 years.
We were not able to successfully upload files ending in a “.php” extension, nor were we able to upload files with double extensions (e.g. file.php.jpg, or file.jpg.php, with or without an invisible unicode separator between the two extensions) that would be parsed by any recent web server configuration we have tested. Configurations we have tested include Apache with a PHP AddHandler directive, Apache with an anchored SetHandler directive, Apache + PHP-FPM, NGINX + FastCGI, Litespeed, and IIS. Additionally, we have not seen any evidence of this vulnerability being successfully exploited in the wild.
We contacted the original security researcher requesting more information, but have not heard back at the time of this publication. We also contacted the plugin developer, who indicated that he recognized the bypass in the
wpcf7_antiscript_file_name function as a potential vulnerability but had not been supplied with a Proof of Concept that bypassed the other security measures. We reached out to Astra Security who pointed us to their updated blog post indicating that no Proof of Concept would be released and that they had also not seen any evidence that the vulnerability was being exploited in the wild.
Open source security research is incredibly important and makes the entire WordPress ecosystem safer. It is critically important that vulnerable configurations are known; any server configuration that allows this vulnerability to be exploited could allow currently undiscovered vulnerabilities in other plugins to be exploited as well. It is also important to the credibility of our industry that this research be independently verifiable. While we realize that there may be good reasons not to make a Proof of Concept public, providing such a Proof of Concept to other security researchers allows the industry to improve its response to known threats.
For these reasons, we are requesting that the Astra Security research team, or anyone else in the WordPress or Security community who is able to do so, provide us more information about this vulnerability, as we would like to be able to independently duplicate the issue in order to confirm its impact, not only for the millions of users of Contact Form 7, but also for the wider WordPress ecosystem. We are requesting vulnerable server and plugin configurations in which it is possible to upload an executable PHP file via this vulnerability, as well as an unabridged Proof of Concept that allows us to duplicate the issue.