Spam Protect for Contact Form 7 WordPress Plugin Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the Spam Protect for Contact Form 7 WordPress plugin, affecting versions prior to 1.2.10. The vulnerability arises from the plugin's logging feature, which can write to a PHP file. An attacker with editor access could exploit this by sending a crafted header, potentially leading to the execution of arbitrary PHP code on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the vulnerable WordPress site is hosted.

Reproduction

To reproduce this vulnerability, first add or edit a Contact Form and note the Post ID. Then, navigate to the 'Antispam Settings' of the plugin. Add 'testspam' to the words to block and set the log filename to 'shell.php'. After this setup, send a POST request to the WordPress REST API endpoint for the contact form feedback, including the crafted header with the PHP code payload. Finally, access the 'shell.php' file in the WordPress content directory to see the output of the executed PHP code.

Remediation

Users are advised to update the Spam Protect for Contact Form 7 WordPress plugin to version 1.2.10 or later.