Basic Contact Form <= 1.0.3 - Potential Unauthenticated Shell Upload

Uploading attachments in the contact form allows to run any kind of PHP code depending on the server config.

The issue is related to this ( one. Explanation there will help to understand the problem.

Following code is part of the function bcf_basic_contact_form_a().


	$filetype = wp_check_filetype($temp);


	if (($filetype['type'] == 'application/msword') 
		||  ($filetype['type'] == 'text/plain') 
		|| ($filetype['type'] == 'application/pdf') 
		||($filetype ['type'] == 'application/vnd.msword') 
		||($filetype ['type'] == 'application/') 
		||($filetype ['type'] == 'application/word') 
		||($filetype ['type'] == 'application/vnd.openxmlformats-officedocument.wordprocessingml.document') 
		||($filetype ['type'] == 'application/rtf') 
		||($filetype ['type'] == 'image/jpeg') 
		||($filetype ['type']== 'image/gif')
		||($filetype ['type']== 'image/png') 
		||($filetype ['type']== 'image/jpg'))
	  		if (sanitize_text_field($_FILES["file"]["error"] > 0))
					$errorMessage .= "<li> Error:" . sanitize_text_field($_FILES["file"]["error"]) ."</li>";	
					$uploads_url = wp_upload_dir() ;
					$upload_dir = $uploads_url['basedir'];
					$upload_dir2 = $upload_dir . '/bcf_uploads/';
						if (! is_dir($upload_dir2)) {wp_mkdir_p( $upload_dir2);}
							$uploads_url = $upload_dir2;
							move_uploaded_file(sanitize_text_field($_FILES["file"]["tmp_name"]), $uploads_url . sanitize_text_field ($_POST['firstname']) . '.'.sanitize_text_field ($_POST['surname']) .'_' . sanitize_text_field($_FILES["file"]["name"]));

The wall of code above contains the main problem. If you create a file named malicious.php.jpg, wp_check_filetype seems to just take a look at the final ending, which will indicate a picture.

Next problem is, that the plugin has a consistent naming convention for the uploaded files ($uploads_url . sanitize_text_field ($_POST['firstname']) . '.'.sanitize_text_field ($_POST['surname']) .'_' . sanitize_text_field($_FILES["file"]["name"]), so an attacker can easily find the uploaded file online and any other extension will be still there.

apache docs on multiple extensions (

"Files can have more than one extension; the order of the extensions is normally irrelevant. For example, if the file maps onto content type text/html and language French then the file will map onto exactly the same information. If more than one extension is given that maps onto the same type of metadata, then the one to the right will be used, except for languages and content encodings. For example, if .gif maps to the media-type image/gif and .html maps to the media-type text/html, then the file welcome.gif.html will be associated with the media-type text/html.

Care should be taken when a file with multiple extensions gets associated with both a media-type and a handler. This will usually result in the request being handled by the module associated with the handler. For example, if the .imap extension is mapped to the handler imap-file (from mod_imagemap) and the .html extension is mapped to the media-type text/html, then the file world.imap.html will be associated with both the imap-file handler and text/html media-type. When it is processed, the imap-file handler will be used, and so it will be treated as a mod_imagemap imagemap file."

So if the wordpress site has something like AddHandler application/x-httpd-php .php in their .htaccess for example, the server will run the code in the uploaded malicious.php.jpg.

Other vulnerabilities submitted to wpvulndb:

Affects Plugin




Type RCE
OWASP Top 10 A1: Injection


Submitter Paul Dannewitz
Submitter Twitter padannewitz
Views 5510
Verified No


Publicly Published 2017-09-23 (about 2 years ago)
Added 2017-09-28 (about 2 years ago)
Last Updated 2019-11-01 (13 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin