Yesterday afternoon, I was pretty shocked to see a message over twitter from Mark Jaquith announcing that the WP Contact Form 7 plugin had a security vulnerability in it which was being exploited and that anyone using the plugin should uninstall it immediately.
Contact Form 7 is a popular plugin. In fact, just the other day for the Ask Jeff segment, I explained how to configure it. I use this plugin on both WPTavern and Jeffro2pt0.com and I have since uninstalled it.
A number of people sent replies to Mark trying to figure out more information. According to Mark’s answers, he didn’t want to give out the specifics regarding the vulnerability as this would provide hackers with a roadmap. In terms of what was happening upon exploitation, Mark responded with:
It’s being exploited in… a really bad way. Complete access, insertion of spam links, Google penalties. Bad stuff.
Sounds pretty bad if you ask me. Mark has contacted the plugin author so we can only hope that he responds quickly with a fix. Until then, WPTavern and Jeffro2pt0 will go without a contact form as I simply don’t want to use another plugin if i don’t have to. I’ll give the author a few days to respond.
Mark stated that disabling the plugin should be enough to protect you but for me, completely uninstalling it gives me piece of mind.
Now you might be wondering why I didn’t post about this as soon as I saw the news. Well, even though I trust Mark Jaquith, I was waiting to see if anyone else had picked up on a security bulletin or if anyone had been attacked and since made it public. I asked around all day long, including in the WordPress IRC channel and details were very sparse. I like to know what I’m dealing with before I spread the word, that just makes for common sense and since there was very little to go by, I had a hard time spreading the news. However, spread the news as much as you can before anyone else who uses this plugin turns into a victim.
During the night, I discovered a forum thread on WordPress.org started by Len which was then followed up by a reply from Takayukister who is the author of the plugin. Last time I checked, nothing was found within the plugin code that could be causing the vulnerability.