Home News Unpatched Vulnerability in WordPress Plugin Affects 50,000 Sites

Unpatched Vulnerability in WordPress Plugin Affects 50,000 Sites

An unpatched vulnerability in the WordPress plugin “Contact Form 7 Style” installed on over 50,000 sites could allow attackers to send malicious JavaScript code on the victim’s website.

Attackers Target 900,000 WordPress Sites in a Week

Threat intelligence team from security firm Wordfence discovered a Cross-Site Request Forgery (CSRF) to Stored Cross-Site Scripting (XSS) vulnerability in Contact Form 7 Style, a WordPress plugin installed on over 50,000 sites.

The vulnerability, with a CVSS Score: 8.8, could allow a remote hacker to inject malicious JavaScript on a site using the plugin. Upon successful exploitation, an attacker can trick the site’s admin into clicking on a malicious URL or attachment. The vulnerable plugin was temporarily removed from the repository after Wordfence reported the issue to the WordPress officials.

As the vulnerability remains unpatched, Wordfence said, “We strongly recommend deactivating and removing this plugin and finding a replacement as it no longer appears to be maintained by its developer.”

“This vulnerability can only be exploited if a user with administrative capabilities performs an action while authenticated to the vulnerable WordPress site. As a general recommendation, site administrators should always be alert when clicking on any links. If you feel you must click a link, we recommend using incognito windows when you are unsure about a link or attachment. This precaution can protect your site from being successfully exploited by this vulnerability along with all other CSRF vulnerabilities,” Wordfence added.

Contact Form 7 Style is used to add additional styles to forms created with Contact Form 7. It allows users to customize Cascading Style Sheets (CSS) code to customize the appearance of contact forms.

Wordfense researchers recommended users deactivate or remove the Contact Form 7 Style plugin until they find a replacement, as it appears the vulnerable plugin won’t be fixed soon.

700,000 WordPress Users at Risk

In a similar discovery, Wordfence found a zero-day vulnerability in the File Manager plugin, which could allow cybercriminals to execute arbitrary code on a WordPress site. The File Manager plugin is intended to help WordPress admins manage files on their websites. To read the full storyclick here…