CVE-2023-6449
Published: 01 December 2023
Summary
CVE-2023-6449 is a medium-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Rocklobster Contact Form 7. Its CVSS base score is 6.6 (Medium).
Operationally, ranked in the top 8.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads in versions up to and including 5.8.3. The issue stems from insufficient file type validation in the validate function combined with weak blocklisting in the wpcf7_antiscript_file_name function, allowing certain files to be placed on the server despite existing .htaccess protections.
Authenticated users with editor-level privileges or higher can upload arbitrary files to the affected site. While remote code execution is blocked in most configurations and uploaded files are deleted immediately by default, the files may persist longer when other plugins interfere, enabling RCE when the upload is chained with a separate vulnerability such as local file inclusion.
The official Contact Form 7 advisory and the 5.8.4 release address the flaw through improved validation and blocklisting. Corresponding code changes appear in the plugin's formatting.php and the associated WordPress plugin repository commit.
EPSS scores remained low, moving only from a starting value near 0.06 to a peak of 0.0866 with no indication of significant post-disclosure exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-58686
Vulnerability details
The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'validate' function and insufficient blocklisting on the 'wpcf7_antiscript_file_name' function in versions up to, and including, 5.8.3. This makes it…
more
possible for authenticated attackers with editor-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed in most cases. By default, the file will be deleted from the server immediately. However, in some cases, other plugins may make it possible for the file to live on the server longer. This can make remote code execution possible when combined with another vulnerability, such as local file inclusion.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.