Contact Form 7 version 5.9.2 is now available. This minor update release includes a security fix to address a medium severity Reflected Cross-Site Scripting vulnerability issue reported by Wordfence researcher Asaf Mozes. It also contains several other bug fixes and improvements. Upgrade to 5.9.2 as soon as possible.
Continue reading Contact Form 7 5.9.2Category Archives: Security
Contact Form 7 5.8.4
Contact Form 7 version 5.8.4 is now available. This minor update release addresses a medium severity security issue recently reported.
Continue reading Contact Form 7 5.8.4Warning against the use of vulnerable add-on plugins
You can find so many add-on plugins for Contact Form 7 on the Internet. You might also assume that they have an affiliation with or are certified by the developers of Contact Form 7, but that’s not true. They are third-party products that have nothing to do with the Contact Form 7 project.
We don’t recommend any of them. In reality, some of them are known to have severe security vulnerabilities, so we strongly advise you to avoid using them.
Continue reading Warning against the use of vulnerable add-on pluginsAvast security alert
In the past few hours a lot of Contact Form 7 users have reported that their security tools provided by Avast Software have given a security alert about Contact Form 7. In particular, the alert says it has found a Trojan Horse in one of the script files in the Contact Form 7 package.
I have confirmed no such malware exists in Contact Form 7, so I believe that it is probably a false alarm. So far we haven’t received any information from Avast about this case.
I’ll update this post when there is new information.
Contact Form 7 5.3.2
Contact Form 7 5.3.2 has been released. This is an urgent security and maintenance release. We strongly encourage you to update to it immediately.
An unrestricted file upload vulnerability has been found in Contact Form 7 5.3.1 and older versions. Utilizing this vulnerability, a form submitter can bypass Contact Form 7’s filename sanitization, and upload a file which can be executed as a script file on the host server. This issue has been reported by Jinson Varghese Behanan from Astra Security.
Continue reading Contact Form 7 5.3.2Heads-up about auto-updates
WordPress 5.5 has introduced the auto-update feature for plugins and themes. Keeping plugins and themes updated to the latest version is a key factor in managing your WordPress site securely. We strongly recommend you enable auto-updates for the Contact Form 7 plugin, but you should also be aware that there are risks involved in the use of auto-updates.
Continue reading Heads-up about auto-updatesHeads-up about spreadsheet vulnerabilities
Vulnerabilities affecting spreadsheet applications like Microsoft Excel and OpenOffice Calc have been known to exist for over 5 years, and unfortunately they seem to be still unresolved.
While it is not a vulnerability of WordPress, or its plugins, because there must be so many users of our products who are at risk of these vulnerabilities, and the damage from it could be huge, I think I should write an article here to alert you of the issue.
Continue reading Heads-up about spreadsheet vulnerabilities