A critical, remotely exploitable vulnerability has been found in a popular WordPress plugin that allows users to easily customize every aspect of the contact forms they embed into their websites.
The flaw in Custom Contact Forms was identified by researchers from Sucuri during a routine audit for the company's Web Application Firewall (WAF). They determined that an unauthenticated attacker could leverage the flaw, which affects all versions prior to 220.127.116.11, to gain control of a website.
While analyzing the code for Custom Contact Forms, a plugin that has been downloaded over 620,00 times from the official WordPress website, researchers noticed that a function called adminInit() contained some functionalities that could be leveraged for malicious purposes. One of the functions allowed users to generate and download a SQL dump of the plugin’s parameters, while another one could be utilized to import an SQL backup to the database.
"Those familiar with WordPress know that all of the table names and some of WordPress’s important option fields names are “protected” by a database prefix set in the website’s wp-config.php file. That said, it is of no use here as we can download a SQL dump of the plugin’s parameters which contains this piece of information!" Sucuri's Marc-Alexandre Montpas explained in a blog post. "Anybody could alter the SQL dump, adding their own queries to create a new administrative user or modify anything that is stored in the database."
The plugin's developers refused to fix the vulnerability after being notified by the security firm, but they did release an update to address the issue after Sucuri alerted the security team at WordPress. Users are advised to update their installations to version 18.104.22.168 or later as soon as possible.
Sucuri has advised WordPress website administrators to use other contact form plugins, such as JetPack and Gravity Forms, accusing the developers of Custom Contact Forms of not taking security seriously.
The security firm has identified serious vulnerabilities in numerous WordPress plugins over the past few months, and recent events have demonstrated that these flaws should not be neglected. A security hole in the MailPoet plugin was recently exploited by attackers to compromise tens of thousands of websites.