Today I saw a lot of Contact Form 7 users reporting that the security software they use had detected a Trojan Horse in a script file in the Contact Form 7 package. I scanned the reported file on the WordPress.org plugin directory and found no problem, so I concluded that this is a false alarm.
The security software is provided by Avast Software. According to the reports from users, several other security applications from Avast’s group of companies showed the same alert. Avast is known to have caused a similar false alarm case that happened in 2021.
Contact Form 7 version 5.9.5 is now available. This minor update release includes a few improvements and security enhancements. Upgrading to this version as soon as possible is recommended.
Continue reading Contact Form 7 5.9.5 →
Contact Form 7 version 5.9.2 is now available. This minor update release includes a security fix to address a medium severity Reflected Cross-Site Scripting vulnerability issue reported by Wordfence researcher Asaf Mozes. It also contains several other bug fixes and improvements. Upgrade to 5.9.2 as soon as possible.
Continue reading Contact Form 7 5.9.2 →
Contact Form 7 version 5.8.4 is now available. This minor update release addresses a medium severity security issue recently reported.
Continue reading Contact Form 7 5.8.4 →
You can find so many add-on plugins for Contact Form 7 on the Internet. You might also assume that they have an affiliation with or are certified by the developers of Contact Form 7, but that’s not true. They are third-party products that have nothing to do with the Contact Form 7 project.
We don’t recommend any of them. In reality, some of them are known to have severe security vulnerabilities, so we strongly advise you to avoid using them.
Continue reading Warning against the use of vulnerable add-on plugins →
In the past few hours a lot of Contact Form 7 users have reported that their security tools provided by Avast Software have given a security alert about Contact Form 7. In particular, the alert says it has found a Trojan Horse in one of the script files in the Contact Form 7 package.
I have confirmed no such malware exists in Contact Form 7, so I believe that it is probably a false alarm. So far we haven’t received any information from Avast about this case.
I’ll update this post when there is new information.
Contact Form 7 5.3.2 has been released. This is an urgent security and maintenance release. We strongly encourage you to update to it immediately.
An unrestricted file upload vulnerability has been found in Contact Form 7 5.3.1 and older versions. Utilizing this vulnerability, a form submitter can bypass Contact Form 7’s filename sanitization, and upload a file which can be executed as a script file on the host server. This issue has been reported by Jinson Varghese Behanan from Astra Security.
Continue reading Contact Form 7 5.3.2 →
WordPress 5.5 has introduced the auto-update feature for plugins and themes. Keeping plugins and themes updated to the latest version is a key factor in managing your WordPress site securely. We strongly recommend you enable auto-updates for the Contact Form 7 plugin, but you should also be aware that there are risks involved in the use of auto-updates.
Continue reading Heads-up about auto-updates →
Vulnerabilities affecting spreadsheet applications like Microsoft Excel and OpenOffice Calc have been known to exist for over 5 years, and unfortunately they seem to be still unresolved.
While it is not a vulnerability of WordPress, or its plugins, because there must be so many users of our products who are at risk of these vulnerabilities, and the damage from it could be huge, I think I should write an article here to alert you of the issue.
Continue reading Heads-up about spreadsheet vulnerabilities →
Just another contact form plugin for WordPress. Simple but flexible.