Unpatched Vulnerability: 50,000 WP Sites Must Find Alternative for Contact Form 7 Style

On December 9, 2020, the Wordfence Threat Intelligence team discovered a Cross-Site Request Forgery (CSRF) to Stored Cross Site Scripting (XSS) vulnerability in Contact Form 7 Style, a WordPress plugin installed on over 50,000 sites.

Please note that this is a separate plugin from “Contact Form 7” and is designed as an add-on to that plugin.

We initially reached out to the plugin’s developer on December 9, 2020. We received no response for a week and followed up on December 16, 2020. After receiving no response for nearly 30 days and granting extra time due to the holidays, we escalated the issue to the WordPress Plugins team on January 4, 2021, providing the full details of the vulnerability at the time of reporting. The WordPress Plugins team responded to us the same day informing us that they notified the plugin’s developer of our findings, giving them 30 days to fix the issue or respond prior to plugin closure. Unfortunately, neither the WordPress Plugins team nor the Wordfence Threat Intelligence team received a response. This week, on February 1, 2021, the plugin was removed from the repository due to lack of response from the plugin’s developer.

All Wordfence users, including Wordfence free and Wordfence Premium users, are protected from any exploits targeting this vulnerability by the Wordfence Firewall’s built-in XSS protection. Regardless, we strongly recommend deactivating and removing this plugin and finding a replacement as it no longer appears to be maintained by its developer.

Description: Cross-Site Request Forgery (CSRF) to Stored Cross-Site Scripting (XSS)
Affected Plugin: Contact Form 7 Style
Plugin Slug: contact-form-7-style
Affected Versions: <= 3.1.9
CVE ID: CVE-2021-24159
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Fully Patched Version: REMAINS UN-PATCHED.

Contact Form 7 Style is a plugin that can be used to add additional styles to forms created with Contact Form 7, one of the most popular plugins for WordPress. As part of its functionality, Contact Form 7 Style allows users to customize Cascading Style Sheets (CSS) code in order to customize the appearance of contact forms crafted by Contact Form 7.

Due to the lack of sanitization and lack of nonce protection on this feature, an attacker could craft a request to inject malicious JavaScript on a site using the plugin. If an attacker successfully tricked a site’s administrator into clicking a link or attachment, then the request could be sent and the CSS settings would be successfully updated to include malicious JavaScript.

It is important to note that as with all CSRF vulnerabilities, this vulnerability can only be exploited if a user with administrative capabilities performs an action while authenticated to the vulnerable WordPress site. As a general recommendation, site administrators should always be alert when clicking on any links. If you feel you must click a link, we recommend using incognito windows when you are unsure about a link or attachment. This precaution can protect your site from being successfully exploited by this vulnerability along with all other CSRF vulnerabilities.

How can I protect myself?

We strongly recommend deactivating and removing the Contact Form 7 Style plugin and finding a replacement, as it appears this plugin won’t be patched in the foreseeable future. If you must keep the plugin installed on your site until you find a replacement, and you are running the Wordfence Web Application Firewall, then you can rest assured that your site will be protected against any exploits targeting this vulnerability while searching for a replacement.

Due to the number of sites affected by this plugin’s closure, we are intentionally providing minimal details about this vulnerability to provide users ample time to find an alternative solution. We may provide additional details later as we continue to monitor the situation.

Did you enjoy this post? Share it!

Comments

9 Comments
  • If I understand correct; the contact 7 plugin itself is safe, right?

    • Hi Ton,

      That is correct. The Contact Form 7 plugin itself is not affected by this. The vulnerability is only present in the Contact Form 7 Style plugin that is an addon plugin.

  • Shouldn't the date dates in January and February be changed to 2021?

    • Hi Jørgen,

      Thanks for pointing that out! We've updated the post to fix that.

  • I'm using the "Contact Form 7 - Dynamic Text Extension" on one of my client's sites. Have you noted any similar vulnerabilities?

    Thanks to Jørgen for pointing out that this is an issue with the "Contact Form 7 Style" plugin, not the "Contact Form 7" plugin itself. When I first read the notification email, and even a ways into the article I also thought we were talking about the "Contact Form 7" plugin itself. You might want to highlight or re-enforce that it's not the "main" plugin to avoid any panic for its 5 million plus users, especially folks like me that are a little slow to grasp the facts. :)

    • Hi Rich!

      Our team has not looked at “Contact Form 7 – Dynamic Text Extension”, however, based on the change log it looks like they patched an XSS vulnerability about 6 months ago. Due to the fact that it is patched, there shouldn't be anything to worry about there. As for noting that this is an issue with "Contact Form 7 Style" rather than "Contact form 7", we did provide that reinforcement as the second sentence in our article. I've moved the sentence in the article to standalone and hopefully make it more visible. :)

  • It looks the the plugin has been updated to version 3.2 about 35 minutes ago.

    • Hi Matt,

      Thank you for pointing that out. It does appear an update has been released, however, it is still not available for download due to the plugin being closed for review. Once the update is downloadable, we will update our post to reflect that information.

  • Very very much helpfull information about this plugin