v1.6-v1.7-v8x /!\Security ALERT - PrestaHero Contact Form 7 - Version: 2.3.9 to 2.4.1 (latest)

C

chibi

Well-known member
Master
Diamond
Elite
XNullUser
Joined
Aug 12, 2021
Messages
155
Reaction score
512
Points
93
NullCash
1,818
⚠️ Security Alert: PrestaShop Module "Contact Form 7" (ets_contactform7)

The "Contact Form 7" module (version 2.3.9 and even the latest official available version) available on this forum contains critical vulnerabilities that allow attackers to perform unauthorized actions, exfiltrate database data, and execute malicious code in administrators' browsers.

Key issues:
  • Broken access control: Any authenticated back-office user with minimal rights can delete forms or modify configurations via crafted URLs.
  • Disabled SSL verification: External requests (e.g., to Google reCAPTCHA) are exposed to MITM attacks.
  • SQL injection: Attackers can extract data from any database table using time-based blind SQL injection techniques.
  • Reflected XSS: Crafted URLs can execute JavaScript in admin sessions, leading to potential account hijacking.
  • No CSRF protection & weak file validation: Exposes forms to forced submissions and file upload bypass.

Impact:
Severe risk to data confidentiality and store integrity. Exploits can be carried out by low-privilege internal users or via targeted admin attacks.

Recommendation:
Immediately uninstall or disable this module. Wait for an official patch or switch to a more secure alternative.



Please find attached the detailed audit document for technical teams and security reviewers.
 

Attachments

  • security_analysis_contactform7.txt
    4.2 KB · Views: 3
AquariusGaza

AquariusGaza

Well-known member
Master
Diamond
Elite
Joined
Sep 29, 2022
Messages
1,969
Reaction score
505
Points
113
NullCash
3,457
Thanks for Security Alert ets_contactform7 GL HF
 
J

josean

Member
XNullUser
Joined
Apr 15, 2022
Messages
531
Reaction score
1
Points
18
NullCash
1
Thank you very much for sharing this great module.
 
C

cmrcmr

Well-known member
Master
Diamond
Elite
XNullUser
Joined
Sep 6, 2019
Messages
1,112
Reaction score
1,698
Points
113
NullCash
7,104
Gracias por compartir este modulo :D
 
M

moonia

Member
XNullUser
Joined
Sep 18, 2022
Messages
643
Reaction score
0
Points
16
NullCash
37
Thanks for Security Alert ets_contactform7 GL HF
 
D

djsebyss

Member
XNullUser
Joined
Nov 29, 2024
Messages
73
Reaction score
0
Points
6
Location
Romania
NullCash
10
Thanks for the alert! I like this module so I hope they fix everything in the next updates.
 
moonfire

moonfire

Well-known member
Diamond
Elite
XNullUser
Joined
May 3, 2021
Messages
1,129
Reaction score
428
Points
83
NullCash
1,733
chibi said:
⚠️ Security Alert: PrestaShop Module "Contact Form 7" (ets_contactform7)

The "Contact Form 7" module (version 2.3.9 and even the latest official available version) available on this forum contains critical vulnerabilities that allow attackers to perform unauthorized actions, exfiltrate database data, and execute malicious code in administrators' browsers.

Key issues:
  • Broken access control: Any authenticated back-office user with minimal rights can delete forms or modify configurations via crafted URLs.
  • Disabled SSL verification: External requests (e.g., to Google reCAPTCHA) are exposed to MITM attacks.
  • SQL injection: Attackers can extract data from any database table using time-based blind SQL injection techniques.
  • Reflected XSS: Crafted URLs can execute JavaScript in admin sessions, leading to potential account hijacking.
  • No CSRF protection & weak file validation: Exposes forms to forced submissions and file upload bypass.

Impact:
Severe risk to data confidentiality and store integrity. Exploits can be carried out by low-privilege internal users or via targeted admin attacks.

Recommendation:
Immediately uninstall or disable this module. Wait for an official patch or switch to a more secure alternative.



Please find attached the detailed audit document for technical teams and security reviewers.
Click to expand...
Did you found this information on a website reporting about PS modules vulnerabilities?
Or have an AI create this report?
 
K

Kurwiu

Member
XNullUser
Joined
Oct 15, 2020
Messages
435
Reaction score
3
Points
18
NullCash
64
Good addon, thanks for sharing, much apreciated!
 
You must log in or register to reply here.
Top