WordPress Drag and Drop File Upload for Contact Form 7 Plugin Unauthenticated Arbitrary File Upload Vulnerability

A vulnerability exists in the WordPress plugin 'Drag and Drop File Upload for Contact Form 7', in versions through 1.1.3. The issue allows for unauthenticated arbitrary file uploads. This vulnerability arises because the plugin processes file extensions before applying proper sanitization, and it permits attackers to manipulate the file type parameter. The validation of file types is based on unsanitized extensions, while the files are saved with sanitized extensions, creating a loophole. Exploitation could lead to the upload of malicious PHP files, with the potential for remote code execution. However, an .htaccess file and name randomization currently limit the practical exploitability of this vulnerability.

Impact

Exploitation of this vulnerability could result in unauthorized file uploads, including potentially malicious files that could be executed on the server, leading to remote code execution.

Reproduction

To reproduce this vulnerability, upload a file through the Contact Form 7 interface that is not properly validated by the plugin. The file type can be manipulated to bypass restrictions, taking advantage of the plugin's flawed sanitization process. Once the file is uploaded, it can be accessed and executed on the server, depending on the file's nature and the server's configuration.

Remediation

Users are advised to update the plugin to version 1.1.4 or later, where this vulnerability has been patched.