Cyber Resilience

CVE-2023-6449

Medium

Published: 01 December 2023

Published
01 December 2023
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0714 91.7th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-6449 is a medium-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Rocklobster Contact Form 7. Its CVSS base score is 6.6 (Medium).

Operationally, ranked in the top 8.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads in versions up to and including 5.8.3. The issue stems from insufficient file type validation in the validate function combined with weak blocklisting in the wpcf7_antiscript_file_name function, allowing certain files to be placed on the server despite existing .htaccess protections.

Authenticated users with editor-level privileges or higher can upload arbitrary files to the affected site. While remote code execution is blocked in most configurations and uploaded files are deleted immediately by default, the files may persist longer when other plugins interfere, enabling RCE when the upload is chained with a separate vulnerability such as local file inclusion.

The official Contact Form 7 advisory and the 5.8.4 release address the flaw through improved validation and blocklisting. Corresponding code changes appear in the plugin's formatting.php and the associated WordPress plugin repository commit.

EPSS scores remained low, moving only from a starting value near 0.06 to a peak of 0.0866 with no indication of significant post-disclosure exploitation interest.

EU & UK References

Vulnerability details

The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'validate' function and insufficient blocklisting on the 'wpcf7_antiscript_file_name' function in versions up to, and including, 5.8.3. This makes it…

more

possible for authenticated attackers with editor-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed in most cases. By default, the file will be deleted from the server immediately. However, in some cases, other plugins may make it possible for the file to live on the server longer. This can make remote code execution possible when combined with another vulnerability, such as local file inclusion.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

rocklobster
contact form 7
≤ 5.8.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References