The Wordfence Threat Intelligence team announced that they have discovered a Cross-Site Request Forgery to Stored Cross Site Scripting vulnerability in Contact Form 7 Style. The WordPress plugin is currently installed on over 50,000 sites. It is a separate plugin from “Contact Form 7” and is designed as an add-on to that plugin.
Still unpatched
Wordfence also announced that they contacted both the developer and the WordPress Plugins team, however, the developer didn’t respond or patched the vulnerability since the 9th of December. Thus, the plugin is removed from the repository due to lack of response.
The vulnerability allows attackers to craft a request to inject malicious JavaScript on a website that uses the plugin. If the website’s administrator clicks a link or attachment, the request could be sent and the CSS settings would be successfully updated to include malicious JavaScript. Since it is a CSRF vulnerability, it can only be exploited if a user with administrative capabilities performs an action while authenticated to the vulnerable WordPress site. The Wordfence team also stated,
“We strongly recommend deactivating and removing the Contact Form 7 Style plugin and finding a replacement, as it appears this plugin won’t be patched in the foreseeable future. If you must keep the plugin installed on your site until you find a replacement, and you are running the Wordfence Web Application Firewall, then you can rest assured that your site will be protected against any exploits targeting this vulnerability while searching for a replacement.
Due to the number of sites affected by this plugin’s closure, we are intentionally providing minimal details about this vulnerability to provide users ample time to find an alternative solution. We may provide additional details later as we continue to monitor the situation.”