Contact Form 7 is a WordPress plugin for managing multiple website contact forms. On December 16th, researchers at Astra Security discovered a critical vulnerability being tracked as CVE-2020-35489 which could allow an attacker to bypass file name sanitization checks to upload files of any type. By crafting a file name with two file extensions separated by special characters like a tab, an attacker could trick the plugin into accepting the file while discarding all characters after the first extension. Abusing this could lead to PHP scripts being uploaded and executed.
Binary Defense recommends that any WordPress administrators using versions 5.3.1 or below should update the plugin immediately. An initial fix provided to Astra Security by the developers was deemed insufficient to protect users against the vulnerability. As of December 17th, version 5.3.2 has been made available on the WordPress plugin site which remediates the issue. After patching, administrators should also investigate any files with recent timestamps in the configured upload directory to remove any potentially malicious content.