The last days before Christmas are a small pickle season in the industry, and something has to be written about. So here’s the topic: 5 MILLION WORDPRESS INSTALLATIONS AT RISK. DEADLY VULNERABILITY IN CONTACT FORM 7 PLUGIN.
The matter was described in its clickbait style by more than a dozen – mostly English-language – technology portals. And all in all, I don’t even hold this style against them – it’s easy to get carried away by emotions, seeing 5 MILLION DISTURBED PAGES everywhere.
So let’s take a look at how the threat is portrayed in the industry media and what it really looks like:
- Contact Form 7 plugin, according to some the most popular wordpress plugin in the world, has a vulnerability
- The vulnerability allows to execute virtually any code, that is, to completely take over the site
- plug-in according to the media has 5 million installations so the issue is serious – all these sites are allegedly vulnerable
Now the facts
First of all, the plugin has 5 million installations in the wordpress repository – in fact, the number may even be twice that. Wouldn’t 10 MILLION DISTRIBUTED PARTIES sound better?
To exploit the vulnerability your server must meet 4 conditions at the same time
- you need to allow in the form to attach and upload the file – without this there is no problem at all
- directory indexing enabled (that is, it is possible to preview the contents of folders where there is no index file.(php|html)
- server not on Apache, or with a problem that prevents the plug-in from using the .htaccess file to block execution of uploaded files
- A strange server configuration that allows PHP scripts to run from files like pdf, doc, etc. with a double extension
The simultaneous occurrence of 4 such conditions is about as likely as curing an open fracture with structured water Eng. Finches. With 10 million installations it can happen, but let’s give people a break and not scare them before Christmas.
Not being intimidating is one thing, but let’s not underestimate the safety issue either. There is already a patch, let’s update, let’s update – it (almost) never hurts. New Year’s Eve under curfew promises to be sluggish, but it’s still better to spend it with Polsat than cleaning WordPress of malware.
