Hannah discovers bug in Contact Form 7 to bypass CAPTCHA
Contact Form 7 is one of the most popular website contact forms implemented throughout websites developed using WordPress. It allows users to quickly and easily submit a message or query to the owner of the site without the need to compose an entire email using a regular client.
Contact Form 7 makes use of a CAPTCHA facility in order to prevent the risk of exploitation from bots and potential attackers. An exploitation could result in an influx of requests, resulting in a possible Denial of Service attack against the site’s email recipients.
Whilst testing this CAPTCHA facility on our own website, Hedgehog Security were able to bypass this feature and flood our inbox with thousands of requests.
The author of the plugin has now been notified and a fix was released within a matter of hours. To apply the fix, visit the link below and update to version 3.7.2:
As a further precaution, it is advised that users of contact forms within their website(s) protect themselves by limiting the recipients of their contact forms, as well as to create an inbox rule to place the messages into a separate inbox folder.
This vulnerability has now been granted a CVE-ID. This can be viewed at www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2265
An advisory for this vulnerability may also be viewed below:
|Vendor:||Rock Lobster, LLC.|
|Affected Version:||3.7.1 and earlier|
|Reported by:||Hannah Sharp|
It is possible to bypass the CAPTCHA facility and fill the recipient’s inbox with an influx of requests. The removal of the ‘_wpcf7_captcha_challenge_captcha-719’ parameter (or just the contents of the parameter) from a request sent via a form using CAPTCHA allows the sender to bypass validation. Because of this, a sender is able to automate the transmission of a huge number of emails to the site’s email recipients.
The following is an example request sent via ContactForm7 using CAPTCHA:
Potential Denial of Service attack against the site’s email recipients.
Exploit code is not required.
|26/02/2014||Vendor working on a fix|