Contact Manager WordPress Plugin Unauthenticated Arbitrary File Upload Vulnerability

A vulnerability exists in the Contact Manager plugin for WordPress, allowing for arbitrary file uploads. This issue arises from inadequate file type validation in the contact form upload feature, affecting all versions up to and including 8.6.4. The vulnerability enables unauthenticated attackers to upload arbitrary files to the server hosting the affected site. In certain configurations, where the first file extension is processed before the final one, this could lead to remote code execution. Additionally, exploiting this vulnerability requires successfully navigating a race condition.

Impact

The vulnerability allows for unauthenticated arbitrary file uploads, which could be exploited to execute malicious code on the server, particularly in environments where the uploaded file is processed as a script.

Reproduction

To reproduce this vulnerability, upload a file through the contact form's file upload feature, ensuring that the file has a double extension (e.g., .php.jpg). The first extension should be one that is executed by the server, such as PHP, while the second extension should be one that is typically allowed, like JPG. This can be done by renaming a file to include the double extension before uploading it. The race condition exploitation may require additional timing adjustments to successfully trigger the vulnerability.

Remediation

Users are advised to update the Contact Manager plugin to version 8.6.5 or later.