CVE-2023-6449
The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'validate' function and insufficient blocklisting on the 'wpcf7_antiscript_file_name' function in versions up to, and including, 5.8.3. This makes it possible for authenticated attackers with editor-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed in most cases. By default, the file will be deleted from the server immediately. However, in some cases, other plugins may make it possible for the file to live on the server longer. This can make remote code execution possible when combined with another vulnerability, such as local file inclusion.
We have discovered 1,881,212 live websites that are affected by CVE-2023-6449.
Affected Software
| Product |  Contact Form 7 |
| Category | Form Builders |
| Vulnerable Domains | 1,881,212 live websites (44.83% of Contact Form 7 install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 115 versions ( 74.68% of all versions) |
Details
- Published - Dec 1, 2023
- Updated - Oct 15, 2024
Credits
- István Márton (finder)
CVE References
CVE-2023-6449 usage by Country
 United States | 456,111 websites |
 Germany | 204,470 websites |
 Japan | 195,936 websites |
 France | 137,683 websites |
 Russia | 77,570 websites |
 GB | 67,754 websites |
 Poland | 57,397 websites |
 Italy | 56,391 websites |
 Spain | 53,458 websites |
 Netherlands | 53,438 websites |
CVE-2023-6449 usage by TLD
| .com | 748,359 websites |
| .de | 97,224 websites |
| .ru | 65,749 websites |
| .org | 60,298 websites |
| .co.uk | 50,250 websites |
| .nl | 49,750 websites |
| .net | 49,539 websites |
| .fr | 49,319 websites |
| .it | 46,710 websites |
| .pl | 46,199 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2023-6449
Top websites that are affected by CVE-2023-6449. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ****.br |  Brazil | *** | |
| ********.com |  Singapore | *,*** | |
| ************.com | United States | *,*** | |
| *******.org | United States | *,*** | |
| *******************.de | Germany | *,*** | |
| *********.com | United States | *,*** | |
| ***************.com | United States | *,*** | |
| *************.com | United States | *,*** | |
| *********.com | United States | *,*** | |
| *****.****.br | Brazil | *,*** |
FAQ
A total of 1,881,212 websites have been identified as vulnerable to CVE-2023-6449, discovered through global website indexing conducted by WebTechSurvey.
Contact Form 7 is susceptible to CVE-2023-6449 vulnerability.
Contact Form 7 versions before, and including, 5.8.3 are vulnerable to CVE-2023-6449.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5d7fb020-6acb-445e-a46b-bdb5aaf8f2b6?source=cve
- https://plugins.trac.wordpress.org/browser/contact-form-7/tags/5.8.3/includes/formatting.php#L275
- https://github.com/rocklobster-in/contact-form-7/compare/v5.8.3...v5.8.4
- https://contactform7.com/2023/11/30/contact-form-7-584/
- https://plugins.trac.wordpress.org/changeset/3003556/contact-form-7