CVE-2023-6449
The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'validate' function and insufficient blocklisting on the 'wpcf7_antiscript_file_name' function in versions up to, and including, 5.8.3. This makes it possible for authenticated attackers with editor-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed in most cases. By default, the file will be deleted from the server immediately. However, in some cases, other plugins may make it possible for the file to live on the server longer. This can make remote code execution possible when combined with another vulnerability, such as local file inclusion.
We have discovered 1,269,986 live websites that are affected by CVE-2023-6449.
Affected Software
| Product |  Contact Form 7 |
| Category | Form Builders |
| Vulnerable Domains | 1,269,986 live websites (35% of Contact Form 7 install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 98 versions ( 77% of all versions) |
Details
- Published - Dec 1, 2023
- Updated - Oct 15, 2024
Credits
- István Márton (finder)
CVE References
Website Distribution by Country
Number of websites using CVE-2023-6449 United States | 238,592 websites |
 Japan | 127,989 websites |
 Germany | 121,221 websites |
 France | 82,769 websites |
 Italy | 73,923 websites |
 Russia | 61,649 websites |
 GB | 49,992 websites |
 Poland | 39,887 websites |
 Spain | 39,467 websites |
 Netherlands | 37,301 websites |
Website Distribution by TLD
Number of websites using CVE-2023-6449| .com | 487,846 websites |
| .de | 67,045 websites |
| .it | 51,290 websites |
| .ru | 49,835 websites |
| .org | 39,482 websites |
| .fr | 33,892 websites |
| .co.uk | 32,671 websites |
| .nl | 32,625 websites |
| .net | 32,243 websites |
| .pl | 30,232 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2023-6449
Top websites that are affected by CVE-2023-6449. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ****.br |  Brazil | *** | |
| ********.com |  Singapore | *,*** | |
| ************.com | United States | *,*** | |
| *******.org | United States | *,*** | |
| *********.com | United States | *,*** | |
| ***************.com | United States | *,*** | |
| *********.com | United States | *,*** | |
| *****.****.br | Brazil | *,*** | |
| *********.com | United States | *,*** | |
| ********.****.br | Brazil | *,*** |
FAQ
A total of 1,269,986 websites have been identified as vulnerable to CVE-2023-6449, based on global website indexing conducted by WebTechSurvey.
The Contact Form 7 is affected by the CVE-2023-6449 vulnerability.
Contact Form 7 versions up to and including 5.8.3 are vulnerable to CVE-2023-6449.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5d7fb020-6acb-445e-a46b-bdb5aaf8f2b6?source=cve
- https://plugins.trac.wordpress.org/browser/contact-form-7/tags/5.8.3/includes/formatting.php#L275
- https://github.com/rocklobster-in/contact-form-7/compare/v5.8.3...v5.8.4
- https://contactform7.com/2023/11/30/contact-form-7-584/
- https://plugins.trac.wordpress.org/changeset/3003556/contact-form-7