In the past few hours a lot of Contact Form 7 users have reported that their security tools provided by Avast Software have given a security alert about Contact Form 7. In particular, the alert says it has found a Trojan Horse in one of the script files in the Contact Form 7 package.
I have confirmed no such malware exists in Contact Form 7, so I believe that it is probably a false alarm. So far we haven’t received any information from Avast about this case.
I’ll update this post when there is new information.
The Sendinblue integration module for Contact Form 7 is under development. We plan to include this module into Contact Form 7 5.4, which will be released next February.
Are you interested in being one of the initial stage users of the module? We call for volunteer beta testers to try this module on their websites and report issues if they find bugs or room for improvement.
If it is OK for you to become a beta tester, please refer to the instructions on the GitHub repository page and download a plugin package for the module.
WordPress 5.5 has introduced the auto-update feature for plugins and themes. Keeping plugins and themes updated to the latest version is a key factor in managing your WordPress site securely. We strongly recommend you enable auto-updates for the Contact Form 7 plugin, but you should also be aware that there are risks involved in the use of auto-updates.
I’m excited to present Contact Form 7’s official logo!
This elegant, minimalistic logo was designed by Cheung Vong, an artist, designer, developer, and long-time user of Contact Form 7. For more than ten years since its beginning, Contact Form 7 has had no official logo. Now I can say proudly, “This is our logo!” Thank you for your great work, Cheung!
What’s the mountain?
The mountain seen in the icon is Mount Fuji. Because I have used Hokusai’s old print art as a temporary logo for many years, and users are familiar with the image, I asked the designer to continue using Mount Fuji as a motif in the new logo.
While it is not a vulnerability of WordPress, or its plugins, because there must be so many users of our products who are at risk of these vulnerabilities, and the damage from it could be huge, I think I should write an article here to alert you of the issue.
Contact Form 7 protects your forms from spammers with several different spam protection modules such as Akismet, reCAPTCHA, and disallowed list. These modules help a lot, but how can you know which module has blocked a submitted message and why the module has blocked it?
The “on_sent_ok” and its sibling setting “on_submit” are deprecated and scheduled to be abolished by the end of 2017. It’s not that using those settings is unsafe, but it’s possible that enabling them will increase risk in case there are vulnerabilities in this plugin or in other components of your site. It’s time to replace them with a safer alternative.
In the Messages tab in a contact form editor screen, you can edit messages that Contact Form 7 displays in different situations. In the messages, you can only use plain text; do not use HTML tags and entities.
Allowing HTML in a message can be a security risk; Contact Form 7 4.4 and later forcibly strip HTML when displaying the message. Review the Messages tab to make sure that you don’t have any HTML there.