Serious vulnerability found in Contact Form 7 WP plugin

The developers of the popular WordPress plugin Contact Form 7 have announced that they have closed a serious vulnerability related to unlimited file uploads. It allowed attackers to add malicious scripts to the site.


A WordPress plugin unlimited file upload vulnerability is when a plugin allows an attacker to download a web shell (malicious script), which can then be used to hijack a site, tamper with a database, etc.

The developers have already closed this gap and strongly recommend that all plugin users update it to the latest version ( and higher).

The vulnerability was discovered by security researchers from Astra.

The Contact Form 7 plugin allows you to create contact forms of any complexity and customize them for any needs. It is used by 5+ million websites.

As a reminder, earlier this month, a vulnerability was discovered in the Easy WP SMTP WP plugin, which is used to send all emails from the site through the specified SMTP server.