On December 9, 2020, the Wordfence Threat Intelligence team discovered a Cross-Site Request Forgery (CSRF) to Stored Cross Site Scripting (XSS) vulnerability in Contact Form 7 Style, a WordPress plugin installed on over 50,000 sites.

Please note that this is a separate plugin from “Contact Form 7” and is designed as an add-on to that plugin.

We initially reached out to the plugin’s developer on December 9, 2020. We received no response for a week and followed up on December 16, 2020. After receiving no response for nearly 30 days and granting extra time due to the holidays, we escalated the issue to the WordPress Plugins team on January 4, 2021, providing the full details of the vulnerability at the time of reporting. The WordPress Plugins team responded to us the same day informing us that they notified the plugin’s developer of our findings, giving them 30 days to fix the issue or respond prior to plugin closure. Unfortunately, neither the WordPress Plugins team nor the Wordfence Threat Intelligence team received a response. This week, on February 1, 2021, the plugin was removed from the repository due to lack of response from the plugin’s developer.

All Wordfence users, including Wordfence free and Wordfence Premium users, are protected from any exploits targeting this vulnerability by the Wordfence Firewall’s built-in XSS protection. Regardless, we strongly recommend deactivating and removing this plugin and finding a replacement as it no longer appears to be maintained by its developer.

Description: Cross-Site Request Forgery (CSRF) to Stored Cross-Site Scripting (XSS)
Affected Plugin: Contact Form 7 Style
Plugin Slug: contact-form-7-style
Affected Versions: <= 3.1.9
CVE ID: Pending.
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Fully Patched Version: REMAINS UN-PATCHED.

Contact Form 7 Style is a plugin that can be used to add additional styles to forms created with Contact Form 7, one of the most popular plugins for WordPress. As part of its functionality, Contact Form 7 Style allows users to customize Cascading Style Sheets (CSS) code in order to customize the appearance of contact forms crafted by Contact Form 7.

Due to the lack of sanitization and lack of nonce protection on this feature, an attacker could craft a request to inject malicious JavaScript on a site using the plugin. If an attacker successfully tricked a site’s administrator into clicking a link or attachment, then the request could be sent and the CSS settings would be successfully updated to include malicious JavaScript.

It is important to note that as with all CSRF vulnerabilities, this vulnerability can only be exploited if a user with administrative capabilities performs an action while authenticated to the vulnerable WordPress site. As a general recommendation, site administrators should always be alert when clicking on any links. If you feel you must click a link, we recommend using incognito windows when you are unsure about a link or attachment. This precaution can protect your site from being successfully exploited by this vulnerability along with all other CSRF vulnerabilities.

How can I protect myself?

We strongly recommend deactivating and removing the Contact Form 7 Style plugin and finding a replacement, as it appears this plugin won’t be patched in the foreseeable future. If you must keep the plugin installed on your site until you find a replacement, and you are running the Wordfence Web Application Firewall, then you can rest assured that your site will be protected against any exploits targeting this vulnerability while searching for a replacement.

Due to the number of sites affected by this plugin’s closure, we are intentionally providing minimal details about this vulnerability to provide users ample time to find an alternative solution. We may provide additional details later as we continue to monitor the situation.

The post Unpatched Vulnerability: 50,000 WP Sites Must Find Alternative for Contact Form 7 Style appeared first on Wordfence.