Thanks for Security Alert ets_contactform7
v1.6-v1.7-v8x /!\Security ALERT - PrestaHero Contact Form 7 - Version: 2.3.9 to 2.4.1 (latest)
- Thread starter chibi
- Start date
I like this module. I want to download the latest version available on the website.
I liked the theme!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Post automatically merged:
I liked the theme!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Post automatically merged:
Post automatically merged:
Post automatically merged:
Post automatically merged:
Post automatically merged:
Code:
[THANKS][/THANKS]
Last edited:
Security Alert: PrestaShop Module "Contact Form 7" (ets_contactform7)
The "Contact Form 7" module (version 2.3.9 and even the latest official available version) available on this forum contains critical vulnerabilities that allow attackers to perform unauthorized actions, exfiltrate database data, and execute malicious code in administrators' browsers.
Key issues:
- Broken access control: Any authenticated back-office user with minimal rights can delete forms or modify configurations via crafted URLs.
- Disabled SSL verification: External requests (e.g., to Google reCAPTCHA) are exposed to MITM attacks.
- SQL injection: Attackers can extract data from any database table using time-based blind SQL injection techniques.
- Reflected XSS: Crafted URLs can execute JavaScript in admin sessions, leading to potential account hijacking.
- No CSRF protection & weak file validation: Exposes forms to forced submissions and file upload bypass.
Impact:
Severe risk to data confidentiality and store integrity. Exploits can be carried out by low-privilege internal users or via targeted admin attacks.
Recommendation:
Immediately uninstall or disable this module. Wait for an official patch or switch to a more secure alternative.
Please find attached the detailed audit document for technical teams and security reviewers.
This is a great module. It's great to see it keeps getting updated. I will test to check it out. Thanks for posting.