[resolved] [closed] "Contact Form 7" version 7.3.2 plugin is malicious (5 posts)

  1. tigertech
    Posted 5 years ago #

    This plugin from the Plugin Directory is malicious:


    (The malicious version is different than the real version of "Contact Form 7" at <http://wordpress.org/extend/plugins/contact-form-7/>, but unfortunately the malicious version comes up before the real version when searching for "Contact Form" in the Plugin Directory.)

    When you activate the malicious one, it sends an e-mail message to "dbwordpress@gmail.com". That message contains a link to "/wp-content/plugins/contact-form-73/settings.php?wpcf7=1" on the blog where the plugin is installed. That script sets an admin-level cookie that gives the attacker full administrator access to the site.

    That plugin should be removed from the Plugin Directory ASAP.

    Some searching suggests this upload is a response to <http://www.maxence-blog.fr/2011/06/04/pirater-un-blog-wordpress-une-securite-dejouee/>, which is basically a post saying "hey, look, the WordPress people don't check for malicious uploads to the plugin directory, so it's easy to hack people's blogs this way".

    This is alarming. If nothing else, the plugin directory should perhaps do some rudimentary sorting by download count, so that the real version of a plugin (downloaded 4 million times) appears in the results before a hacked version (downloaded a couple of thousand times) when the given name of the plugin is the same.

  2. Takayuki Miyoshi
    Posted 5 years ago #

    tigertech, thank you for alarming this.

    That plugin should be removed from the Plugin Directory ASAP.

    Yes. And the author's account should be banned.

  3. tigertech
    Posted 5 years ago #

    Takayuki Miyoshi,

    Thanks for posting. Out of interest, how did you tell that that person was the true author? Just looking through Trac changes, etc.?

    One of the things that's surprising is that the malicious plugin author made it look like you uploaded it -- it even shows up on your profile page. But it shows up on the other profile page you mentioned, too.

    The plugin directory system really ought to prevent someone from being able to upload a plugin and make the page say that the author is a different registered user....

  4. Takayuki Miyoshi
    Posted 5 years ago #

    Just from Trac log.

    I suppose the plugin directory only checks name in the readme.txt file. Actually this is the second time my name got faked.

  5. If you want to report a plugin, please email plugins@wordpress.org with the pertinent details.

    ETA: Plugin removed, author (and aliases) suspended. Of note the reason the topic was closed is to not start a fight between devs. Not that you were, but it happens a lot :/ email the plugins account with the deets next time :) and THANK you for reporting it! It is appreciated.

Topic Closed

This topic has been closed to new replies.

About this Topic