Contact Form 7 5.0.4 is available. This is a security and maintenance release and we strongly encourage you to update to it immediately.
A privilege escalation vulnerability has been found in Contact Form 7 5.0.3 and older versions. Utilizing this vulnerability, a logged-in user in the Contributor role can potentially edit contact forms, which only Administrator and Editor-role users are allowed to access by default. This issue has been reported by Simon Scannell from RIPS Technologies.
To minimize damage from possible attacks utilizing those vulnerabilities, Contact Form 7 5.0.4 and higher will restrict the local file attachment feature. More particularly, you will no longer be able to specify an absolute file path that refers to a file placed outside the wp-content directory. You can still specify files inside the wp-content directory with relative or absolute file paths, so all you need to change is the location of the attachment files.
Requires: WordPress 4.8 or higher
Tested up to: WordPress 4.9.8
- Specifies the
capability_typeargument explicitly in the
register_post_type()call to fix the privilege escalation vulnerability issue.
- Local File Attachment – disallows the specifying of absolute file paths referring to files outside the wp-content directory.
- Config Validator – adds a test item to detect invalid file attachment settings.
- Acceptance Checkbox – unsets the form-tag’s