Contact Form 7 Version 5.3.2 Patches Critical Vulnerability, Immediate Update Recommended

Dec 17, 2020 | Security - Internet, WordPress, and otherwise, WordPress News

contact-form-7-version-5-3-2-patches-critical-vulnerability-immediate-update-recommended Contact Form 7 Version 5.3.2 Patches Critical Vulnerability, Immediate Update Recommended

Contact Form 7 has patched a critical file upload vulnerability in version 5.3.2, released today by plugin author Takayuki Miyoshi. The plugin is installed on more than five million WordPress sites.

“An unrestricted file upload vulnerability has been found in Contact Form 7 5.3.1 and older versions,” Miyoshi said. “Utilizing this vulnerability, a form submitter can bypass Contact Form 7’s filename sanitization, and upload a file which can be executed as a script file on the host server.”

The vulnerability was discovered by Jinson Varghese Behanan from Astra Security on December 16, 2020, and Miyoshi released a fix less than 24 hours later. Behanan highlighted a few ways this vulnerability might be exploited:

  1. Possible to upload a web shell and inject malicious scripts
  2. Complete takeover of the website and server if there is no containerization between websites on the same server
  3. Defacing the website

Astra Security plans to publish more details on the vulnerability in two weeks after the plugin’s user base has had more time to update to the patched version.

Version 5.3.2 removes control, separator, and other types of special characters from the filename to fix the unrestricted file upload vulnerability. At the time of publishing, more than a million Contact Form 7 updates have been downloaded today. Approximately 20% of the plugin’s user base is protected from the vulnerability. Now that it has been patched and published, Contact Form 7 users who do not update will be more at risk of having the vulnerability exploited.


WordPress Development


seo news

We’re listening.

Have something to say about this article? Share it with us on Facebook, Twitter or LinkedIn:


Subscribe ToThe Weekly SEO Trade News Updates

Get the latest SEO, SEM and SMM marketing intel, tips and tricks from one of the best SEO Gurus online. 

Every Tuesday morning we send out an aggregated email listing all new posts on SEO Trade News.

Excellent! Now check your email to confirm your subscription.