March 17, 2015

We have been doing a Web Application Pentest forĀ a fairly large company this week. They are hosting with a well known Webhosting company, but maintain their own WordPress install with dozens of plugins.

Upon the initial assessment around the Web Application incl. WP-Scans, we immediately figured, that a lot of the dozens of plugins they use haven’t been maintained in terms of upgrades and patching.

We stumbled across an old installation of Contact Form 7, which is a very popular contact form script which allows users to use a contact form. Unfortunately, this old version didn’t sanitise any user input and by modifying an exploit which is available on the Exploit-DB (, we were able to use the upload file function in the plugin to simply upload a remote controlled PHP script. System compromised.

We cannot stress enough that most plugins for WordPress out there have weak coding (well they are free after all and many are done by hobby programmers). But more worrying is the fact that customers seem not to regularly patch their WordPress installations and Plugins. Please keep them up to date.