v1.6-v1.7-v8x /!\Security ALERT - PrestaHero Contact Form 7 - Version: 2.3.9 to 2.4.1 (latest)

C

chibi

Well-known member
Master
Diamond
Elite
XNullUser
Joined
Aug 12, 2021
Messages
155
Reaction score
506
Points
93
NullCash
1,798
⚠️ Security Alert: PrestaShop Module "Contact Form 7" (ets_contactform7)

The "Contact Form 7" module (version 2.3.9 and even the latest official available version) available on this forum contains critical vulnerabilities that allow attackers to perform unauthorized actions, exfiltrate database data, and execute malicious code in administrators' browsers.

Key issues:
  • Broken access control: Any authenticated back-office user with minimal rights can delete forms or modify configurations via crafted URLs.
  • Disabled SSL verification: External requests (e.g., to Google reCAPTCHA) are exposed to MITM attacks.
  • SQL injection: Attackers can extract data from any database table using time-based blind SQL injection techniques.
  • Reflected XSS: Crafted URLs can execute JavaScript in admin sessions, leading to potential account hijacking.
  • No CSRF protection & weak file validation: Exposes forms to forced submissions and file upload bypass.

Impact:
Severe risk to data confidentiality and store integrity. Exploits can be carried out by low-privilege internal users or via targeted admin attacks.

Recommendation:
Immediately uninstall or disable this module. Wait for an official patch or switch to a more secure alternative.



Please find attached the detailed audit document for technical teams and security reviewers.
 

Attachments

  • security_analysis_contactform7.txt
    4.2 KB · Views: 3
AquariusGaza

AquariusGaza

Well-known member
Master
Diamond
Elite
Joined
Sep 29, 2022
Messages
1,909
Reaction score
504
Points
113
NullCash
3,319
Thanks for Security Alert ets_contactform7 GL HF
 
J

josean

Member
XNullUser
Joined
Apr 15, 2022
Messages
498
Reaction score
1
Points
18
NullCash
0
Thank you very much for sharing this great module.
 
C

cmrcmr

Well-known member
Master
Diamond
Elite
XNullUser
Joined
Sep 6, 2019
Messages
1,098
Reaction score
1,601
Points
113
NullCash
7,023
Gracias por compartir este modulo :D
 
M

moonia

Member
XNullUser
Joined
Sep 18, 2022
Messages
615
Reaction score
0
Points
16
NullCash
51
Thanks for Security Alert ets_contactform7 GL HF
 
D

djsebyss

Member
XNullUser
Joined
Nov 29, 2024
Messages
73
Reaction score
0
Points
6
Location
Romania
NullCash
10
Thanks for the alert! I like this module so I hope they fix everything in the next updates.
 
moonfire

moonfire

Well-known member
Diamond
Elite
XNullUser
Joined
May 3, 2021
Messages
1,098
Reaction score
397
Points
83
NullCash
1,626
chibi said:
⚠️ Security Alert: PrestaShop Module "Contact Form 7" (ets_contactform7)

The "Contact Form 7" module (version 2.3.9 and even the latest official available version) available on this forum contains critical vulnerabilities that allow attackers to perform unauthorized actions, exfiltrate database data, and execute malicious code in administrators' browsers.

Key issues:
  • Broken access control: Any authenticated back-office user with minimal rights can delete forms or modify configurations via crafted URLs.
  • Disabled SSL verification: External requests (e.g., to Google reCAPTCHA) are exposed to MITM attacks.
  • SQL injection: Attackers can extract data from any database table using time-based blind SQL injection techniques.
  • Reflected XSS: Crafted URLs can execute JavaScript in admin sessions, leading to potential account hijacking.
  • No CSRF protection & weak file validation: Exposes forms to forced submissions and file upload bypass.

Impact:
Severe risk to data confidentiality and store integrity. Exploits can be carried out by low-privilege internal users or via targeted admin attacks.

Recommendation:
Immediately uninstall or disable this module. Wait for an official patch or switch to a more secure alternative.



Please find attached the detailed audit document for technical teams and security reviewers.
Click to expand...
Did you found this information on a website reporting about PS modules vulnerabilities?
Or have an AI create this report?
 
K

Kurwiu

Member
XNullUser
Joined
Oct 15, 2020
Messages
435
Reaction score
3
Points
18
NullCash
97
Good addon, thanks for sharing, much apreciated!
 
You must log in or register to reply here.
Top