A critical unauthenticated vulnerability has been discovered in the "Redirection for Contact Form 7" WordPress plugin, affecting over 300,000 websites. This severe flaw, rated with an 8.1 severity level, could allow attackers to upload malicious files or copy sensitive data from affected servers.

Understanding the Redirection for Contact Form 7 Plugin

Developed by Themeisle, the Redirection for Contact Form 7 WordPress plugin serves as a popular add-on for the widely used Contact Form 7 plugin. It enhances website functionality by allowing administrators to redirect site visitors to any web page after a form submission, store submitted information in a database, and offer various other features.

Vulnerable to Unauthenticated Attackers

What makes this vulnerability particularly concerning is its unauthenticated nature. This means an attacker does not need to log in or acquire any level of user privilege (such as a subscriber account) to exploit the flaw. This significantly lowers the barrier for exploitation, making it easier for malicious actors to compromise affected sites.

According to security researchers at Wordfence:

"The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'move_file_to_upload' function in all versions up to, and including, 3.2.7. This makes it possible for unauthenticated attackers to copy arbitrary files on the affected site's server. If 'allow_url_fopen' is set to 'On', it is possible to upload a remote file to the server."

The remote file upload aspect of the vulnerability is somewhat mitigated by a common server configuration. While PHP ships with the allow_url_fopen setting defaulted to "On," which controls how PHP handles files, most shared hosting providers routinely set this to "Off." This practice is a standard security measure designed to prevent various vulnerabilities, including this type of remote file upload.

Although the vulnerability is unauthenticated, making it easier to leverage, its reliance on the PHP allow_url_fopen setting being "On" significantly reduces the overall likelihood of widespread exploitation, particularly for sites hosted on well-configured shared environments.

Users of the Redirection for Contact Form 7 plugin are strongly encouraged to update to version 3.2.8 or newer immediately to patch this critical security flaw and protect their websites.