Contact Form 7 5.3.2 has been released. This is an urgent security and maintenance release. We strongly encourage you to update to it immediately.
An unrestricted file upload vulnerability has been found in Contact Form 7 5.3.1 and older versions. Utilizing this vulnerability, a form submitter can bypass Contact Form 7’s filename sanitization, and upload a file which can be executed as a script file on the host server. This issue has been reported by Jinson Varghese Behanan from Astra Security.
Requires: WordPress 5.4 or higher
Tested up to: WordPress 5.6
» Download Contact Form 7 plugin from WordPress.org
Major changes
- Removes control, separator, and other types of special characters from filename to fix the unrestricted file upload vulnerability issue.
- Akismet: Sets ISO 8601 date/time format for the
comment_date_gmt
parameter.
You can browse the full list of changes on GitHub.