A critical vulnerability has been discovered in a popular WordPress plugin, potentially exposing hundreds of thousands of websites to severe security risks. This, coupled with a broader study revealing the inadequacy of common hosting defenses against WordPress-specific threats, highlights a significant gap in the platform’s security.

Critical Flaw in Contact Form 7 Redirection Plugin

A severe security flaw has been identified in the “Redirection for Contact Form 7” plugin, a widely used add-on for the popular Contact Form 7 plugin. This vulnerability, rated 8.8 out of 10 on the CVSS severity scale, allows unauthenticated attackers to execute remote code on affected websites. The flaw lies within the plugin’s delete_associated_files function, which suffers from insufficient file path validation.

This allows attackers to delete critical files, such as wp-config.php, paving the way for a complete website takeover. The vulnerability affects all versions up to and including 3.2.4, impacting an estimated 300,000 websites. Users are strongly advised to update the plugin immediately.

Thankfully, we use the plugin Gravity Forms for all our clients contact forms as it is a more secure and reliable option. But this highlights the importance of having a Website Care Plan in place, so plugins can be updated regularly. We had 2 clients whose sites were built by a different provider which we now manage that DO use Contact Form 7 Redirection Plugin and thankfully, being on a care plan we were able to update their software immediately.

Hosting Defenses Fall Short Against WordPress Exploits

A recent case study by Patchstack has revealed that common hosting provider defences and general web application firewalls (WAFs), including Cloudflare, are largely ineffective against WordPress-specific threats. The study tested various hosting configurations against 11 WordPress-specific vulnerabilities, finding that these general security measures only blocked 12.2% of the exploits. In contrast, a dedicated WordPress security solution like Patchstack successfully blocked 100% of the tested threats.

Key Takeaways:

• Standard hosting defences and generic WAFs bypass WordPress-specific vulnerabilities at an 87.8% rate.
• Many solutions claiming “virtual patching” failed to stop WordPress-specific exploits.
• Generic firewalls and WAFs are effective against broad attacks like SQL injection and XSS but not against plugin and theme-specific flaws.
• Dedicated WordPress security solutions offer real-time protection by applying virtual patches as soon as vulnerabilities are disclosed.

The Importance of Dedicated WordPress Security

The findings underscore the vulnerability of WordPress sites due to the platform’s extensive plugin ecosystem, which is a prime target for attackers. While general security tools may offer some protection against common web attacks, they lack the specificity needed to counter WordPress-native exploits. This leaves websites exposed to risks such as privilege escalation, authentication bypasses, and site takeovers.

The study emphasises that relying solely on generic hosting defences is insufficient, and a specialised security solution is crucial for comprehensive protection.

For all websites we develop for clients, we include a high-level security plugin, along with a complementary plugin which tracks all user and system actions on your site for debugging and security. Our Care Plan clients get added to an additional software management portal which has another layer of security and daily site backups to an external server, stored for 90 days.

False Alarms and Real Threats

In a separate incident, WordPress version 6.6.1 was briefly flagged by Windows Defender for containing a trojan. This was later identified as a false positive caused by an XML namespace declaration within a CSS file, which the antivirus software misinterpreted. While this particular instance was a misunderstanding of code, it highlights the constant vigilance required in the digital security landscape, where even legitimate code can sometimes trigger alerts.

Sources

• Common Hosting Defenses Ineffective Against WordPress Threats, Search Engine Journal.
• Hosting Security Tested, Patchstack
• WordPress Contact Form 7 Redirection Plugin Vulnerability Hits 300k Sites, Search Engine Journal.