Threat intelligence team from security firm Wordfence discovered a Cross-Site Request Forgery (CSRF) to Stored Cross-Site Scripting (XSS) vulnerability in Contact Form 7 Style, a WordPress plugin installed on over 50,000 sites.
As the vulnerability remains unpatched, Wordfence said, “We strongly recommend deactivating and removing this plugin and finding a replacement as it no longer appears to be maintained by its developer.”
“This vulnerability can only be exploited if a user with administrative capabilities performs an action while authenticated to the vulnerable WordPress site. As a general recommendation, site administrators should always be alert when clicking on any links. If you feel you must click a link, we recommend using incognito windows when you are unsure about a link or attachment. This precaution can protect your site from being successfully exploited by this vulnerability along with all other CSRF vulnerabilities,” Wordfence added.
Contact Form 7 Style is used to add additional styles to forms created with Contact Form 7. It allows users to customize Cascading Style Sheets (CSS) code to customize the appearance of contact forms.
Wordfense researchers recommended users deactivate or remove the Contact Form 7 Style plugin until they find a replacement, as it appears the vulnerable plugin won’t be fixed soon.
700,000 WordPress Users at Risk
In a similar discovery, Wordfence found a zero-day vulnerability in the File Manager plugin, which could allow cybercriminals to execute arbitrary code on a WordPress site. The File Manager plugin is intended to help WordPress admins manage files on their websites. To read the full story, click here…