Contact Form 7 <= 5.0.3 - register_post_type() Privilege Escalation



Description
According to the official release:

"A privilege escalation vulnerability has been found in Contact Form 7 5.0.3 and older versions. Utilizing this vulnerability, a logged-in user in the Contributor role can potentially edit contact forms, which only Administrator and Editor-role users are allowed to access by default. This issue has been reported by Simon Scannell from RIPS Technologies.

To minimize damage from possible attacks utilizing those vulnerabilities, Contact Form 7 5.0.4 and higher will restrict the local file attachment feature. More particularly, you will no longer be able to specify an absolute file path that refers to a file placed outside the wp-content directory. You can still specify files inside the wp-content directory with relative or absolute file paths, so all you need to change is the location of the attachment files."

According to the changelog:

"Specifies the capability_type argument explicitly in the register_post_type() call to fix the privilege escalation vulnerability issue."

Affects Plugin

fixed in version 5.0.4

References

CVE 2018-20979
URL https://contactform7.com/2018/09/04/contact-form-7-504/
URL https://plugins.trac.wordpress.org/changeset/1935726/contact-form-7
URL https://plugins.trac.wordpress.org/changeset/1934594/contact-form-7
URL https://plugins.trac.wordpress.org/changeset/1934343/contact-form-7
URL https://plugins.trac.wordpress.org/changeset/1934327/contact-form-7
URL https://www.ripstech.com/php-security-calendar-2018/#day-18

Classification

Type PRIVESC
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-269

Miscellaneous

Original Researcher Simon Scannell from RIPS Technologies
Submitter Ryan Dewhurst
Submitter Website https://dewhurstsecurity.com/
Submitter Twitter ethicalhack3r
Views 49504
Verified No
WPVDB ID 9127

Timeline

Publicly Published 2018-09-04 (over 1 year ago)
Added 2018-09-12 (about 1 year ago)
Last Updated 2019-11-28 (14 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin