Our appointed Threat Intelligence team have detected a serious security issue with Contact Form 7 Style.  This is not connected to the official Contact Form 7 plugin.  However, we recommend taking precautionary action now to avoid problems with your site…

The threat comes in the form of a Cross-Site Request Forgery (CSRF) to Cross-Site Scripting (XSS) vulnerability.  Please read the article to find out more.

What is Contact Form 7 Style

Contact Form 7 Style is a plugin that can be used to add additional styles to forms created with Contact Form 7, one of the most popular plugins for WordPress.  As part of its functionality, Contact Form 7 Style allows users to customise Cascading Style Sheets (CSS) code in order to customise the appearance of contact forms crafted by Contact Form 7.

Our team reached out to the plugin’s developer on December 9, 2020.  After receiving no response for nearly 30 days and granting extra time due to Christmas holidays, they escalated the issue to the WordPress Plugins team on January 4, 2021.  In doing so they provided the full details of the vulnerability at the time of reporting.

The WordPress Plugins team responded to us the same day informing us that they notified the plugin’s developer of our findings, giving them 30 days to fix the issue or respond prior to plugin closure.  Unfortunately, neither the WordPress Plugins team nor the Threat Intelligence team received a response.  On February 1, 2021, the plugin was removed from the repository due to lack of response from the plugin’s developer.  This may well be a temporary issue and they could solve it.

What is the problem with Contact Form 7 Style?

Due to the lack of sanitisation and lack of protection on this feature, an attacker could inject malicious JavaScript on a site using the plugin.  If an attacker successfully tricked a site’s administrator into clicking a link or attachment, then the request could be sent.  This would mean the CSS settings would be updated to include malicious JavaScript.

It is important to note that as with all CSRF vulnerabilities, this vulnerability can only be exploited if a user with administrative capabilities performs an action while authenticated to the vulnerable WordPress site.  As a general recommendation, site administrators should always be alert when clicking on any links.  If you feel you must click a link, we recommend using Incognito/Private windows when you are unsure about a link or attachment.  This precaution can protect your site from being exploited by this, along with all other CSRF vulnerabilities.

As the issue has a CVSS score of 8.8 (high), we recommend you take action now.  You can view the calculation for the score here.

Please note that due to the number of sites affected by this plugin’s closure, we are intentionally providing minimal details about this vulnerability.  This will provide users with ample time to find an alternative solution.  We may provide additional details later as we and our partners continue to monitor the situation.

Contact Form 7 Style plugin security - take action now
Contact Form 7 Style plugin security – take action now

What do I need to do?

We strongly recommend deactivating and removing the Contact Form 7 Style plugin now.  You will need to find a replacement, as it appears this plugin won’t be patched in the foreseeable future.  If you must keep the plugin installed on your site until you find a replacement, then please check your Web Application Firewall.  If you are running the Wordfence Web Application Firewall, then you can rest assured that your site will be protected.

However, we do recommend deactivating it now.  If you are hosted with us and we manage your site we have already taken action.

Need more help and advice?

If you need more help and advice, please get in touch with us.