CVE-2023-6449

Name of the Vulnerable Software and Affected Versions Contact Form 7 versions up to, and including, 5.8.3

Description The issue arises from insufficient file type validation in the validate function and insufficient blocklisting on the wpcf7 antiscript file name function. This allows authenticated attackers with editor-level capabilities or above to upload arbitrary files on the affected site's server. However, due to the htaccess configuration, remote code cannot be executed in most cases. By default, the uploaded file will be deleted from the server immediately. In some cases, other plugins may allow the file to remain on the server longer, potentially enabling remote code execution when combined with another vulnerability, such as local file inclusion.

Recommendations For versions up to, and including, 5.8.3, update to a version that includes the fix for the insufficient file type validation and blocklisting issues. As a temporary workaround, consider restricting access to the validate function and the wpcf7 antiscript file name function until a patch is available. Additionally, review and adjust the htaccess configuration to further restrict potential exploitation vectors.