I. Overview

A researcher has recently released the remote code execution (RCE) vulnerability POC of WordPress. Using the Contact Form 7 plug-in with the Drag and Drop File Upload Contact Form plug-in (affected versions) will cause the RCE vulnerability.

If you are a WordPress user, check your plug-in versions and implement timely security hardening.

For more information about this vulnerability, visit the following website:

https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/#developers

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected Versions:

This vulnerability affects users who have installed WordPress and enabled the Contact Form 7 plug-in and Drag and Drop File Upload Contact Form plug-in (1.3.3.2 or earlier).

IV. Vulnerability Handling

Fixed versions of the plug-in have been officially released. If your plug-in falls in the affected range, upgrade it to a secure version (1.3.3 or later).

Download the latest version from the following link: https://downloads.wordpress.org/plugin/drag-and-drop-multiple-file-upload-contact-form-7.zip.

The Web Application Firewall (WAF) service, provided by HUAWEI CLOUD, supports PHP file upload detection. If you are also a WAF user, enable Webshell detection in Basic Web Protection, set the mode to Block, and the protection level to High.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.