v1.6-v1.7-v8x /!\Security ALERT - PrestaHero Contact Form 7 - Version: 2.3.9 to 2.4.1 (latest)

C

chibi

Well-known member
Diamond
Elite
XNullUser
Joined
Aug 12, 2021
Messages
153
Reaction score
479
Points
63
NullCash
1,642
⚠️ Security Alert: PrestaShop Module "Contact Form 7" (ets_contactform7)

The "Contact Form 7" module (version 2.3.9 and even the latest official available version) available on this forum contains critical vulnerabilities that allow attackers to perform unauthorized actions, exfiltrate database data, and execute malicious code in administrators' browsers.

Key issues:
  • Broken access control: Any authenticated back-office user with minimal rights can delete forms or modify configurations via crafted URLs.
  • Disabled SSL verification: External requests (e.g., to Google reCAPTCHA) are exposed to MITM attacks.
  • SQL injection: Attackers can extract data from any database table using time-based blind SQL injection techniques.
  • Reflected XSS: Crafted URLs can execute JavaScript in admin sessions, leading to potential account hijacking.
  • No CSRF protection & weak file validation: Exposes forms to forced submissions and file upload bypass.

Impact:
Severe risk to data confidentiality and store integrity. Exploits can be carried out by low-privilege internal users or via targeted admin attacks.

Recommendation:
Immediately uninstall or disable this module. Wait for an official patch or switch to a more secure alternative.



Please find attached the detailed audit document for technical teams and security reviewers.
 

Attachments

  • security_analysis_contactform7.txt
    4.2 KB · Views: 3
AquariusGaza

AquariusGaza

Well-known member
Master
Diamond
Elite
Joined
Sep 29, 2022
Messages
1,843
Reaction score
501
Points
113
NullCash
3,491
Thanks for Security Alert ets_contactform7 GL HF
 
J

josean

Member
XNullUser
Joined
Apr 15, 2022
Messages
470
Reaction score
1
Points
18
NullCash
3
Thank you very much for sharing this great module.
 
C

cmrcmr

Well-known member
Master
Diamond
Elite
XNullUser
Joined
Sep 6, 2019
Messages
1,072
Reaction score
1,501
Points
113
NullCash
6,450
Gracias por compartir este modulo :D
 
M

moonia

Member
XNullUser
Joined
Sep 18, 2022
Messages
584
Reaction score
0
Points
16
NullCash
37
Thanks for Security Alert ets_contactform7 GL HF
 
D

djsebyss

Member
XNullUser
Joined
Nov 29, 2024
Messages
67
Reaction score
0
Points
6
Location
Romania
NullCash
2
Thanks for the alert! I like this module so I hope they fix everything in the next updates.
 
moonfire

moonfire

Well-known member
Diamond
Elite
XNullUser
Joined
May 3, 2021
Messages
1,070
Reaction score
373
Points
83
NullCash
1,550
chibi said:
⚠️ Security Alert: PrestaShop Module "Contact Form 7" (ets_contactform7)

The "Contact Form 7" module (version 2.3.9 and even the latest official available version) available on this forum contains critical vulnerabilities that allow attackers to perform unauthorized actions, exfiltrate database data, and execute malicious code in administrators' browsers.

Key issues:
  • Broken access control: Any authenticated back-office user with minimal rights can delete forms or modify configurations via crafted URLs.
  • Disabled SSL verification: External requests (e.g., to Google reCAPTCHA) are exposed to MITM attacks.
  • SQL injection: Attackers can extract data from any database table using time-based blind SQL injection techniques.
  • Reflected XSS: Crafted URLs can execute JavaScript in admin sessions, leading to potential account hijacking.
  • No CSRF protection & weak file validation: Exposes forms to forced submissions and file upload bypass.

Impact:
Severe risk to data confidentiality and store integrity. Exploits can be carried out by low-privilege internal users or via targeted admin attacks.

Recommendation:
Immediately uninstall or disable this module. Wait for an official patch or switch to a more secure alternative.



Please find attached the detailed audit document for technical teams and security reviewers.
Click to expand...
Did you found this information on a website reporting about PS modules vulnerabilities?
Or have an AI create this report?
 
You must log in or register to reply here.
Top