Mark Jaquith, a lead developer on the WordPress project, mentioned on Twitter that the plugin - Contact Form 7 - is being exploited. Users are advised to uninstall it until a fix is in place.
Don't want to cause a panic but it is a popular plugin and the word needs to get out.
Posted 7 months ago #
I am the developer of Contact Form 7 plugin. I have been informed about the issue from Mark Jaquith. It's not yet confirmed that the issue was really caused by Contact Form 7's vulnerability, so do not panic, please.
I'm investigating the codes and no vulnerability have been found for now. Anyway I'll update the plugin and improve security more. It will be released soon.
Thanks for the update takayukister.
I've got a post about this warning people this morning at 7AM. This issue sounds pretty serious but I'll definitely update the post and point people to here to get more updates. Thanks for looking into it Taka.
Posted 7 months ago #
Thanks for looking into this takayukister :)
I'm deactivating the plugin right now but hopefully we'll get confirmation shortly that everything is fine with the plugin.
Posted 7 months ago #
@takayukister - Sorry I had gotten confirmation last night that your plugin - Contact Form 7 - was causing us to get security hacks into our server. This was confirmed by the server techs. I do hope that you're able to find and fix the security issues as I was using the plugin as well. I had planned to install it into 3 other websites be cause it did work great but I will have to wait and see what security upgrades will be installed in the future - Contact Form 7 - Thank you.
Posted 7 months ago #
I wanted to add one more note and observation about your plugin - Contact Form 7 - was the securities issue didn't seem to arise until your latest plugin update in March 22? I believe. So I hope that helps to narrow down the problem. Thank you.
Posted 7 months ago #
flicksandfood, could you send mail to me about the detail of the issue you have seen, please? takayukister at gmail.com is my address. Thanks.
Posted 7 months ago #
I just released Contact Form 7 1.9.5. This should fix the reported issue. Upgrading is highly recommended.
Posted 7 months ago #
Takayukister - I installed the upgrade via WP Dashboard plugins automatic upgrade and it messed up my page with a big PHP error!
This appeared at the top of my page:
Warning: opendir(/home/riavon/public_html/content/wp-content/uploads/wpcf7_uploads/) [function.opendir]: failed to open dir: No such file or directory in /home/riavon/public_html/content/wp-content/plugins/contact-form-7/wp-contact-form-7.php on line 1558
I had to deactivate your plugin, now. :(
Posted 7 months ago #
Riavon, I'm sorry. That's my mistake. I fixed it and released as v1.9.5.1, try it again, please.
Posted 7 months ago #
@takayukister - was the issue isolated to version 1.9.4? I'm using 1.9.2.2 and wondering if I need to upgrade. Thanks!
Posted 7 months ago #
@gullage - I wouldn't upgrade. If yours is working fine right now then don't until we all know for sure the issue has been fixed.
@takayukister - I was told that someone should have already contacted you about it. Thank you.
Posted 7 months ago #
gullage, as I wrote in the mail to you, I also recommend users using older versions of the plugin to upgrade it to be safe.
Posted 7 months ago #
@takayukister: everything seems fine here! :D
Posted 7 months ago #
Ok, so is Contact Form 7 safe to use now? I seem to remember seeing a post about issues with IE, not a security issue though.
Posted 7 months ago #
...might want to check out cforms, it's still the de-facto standard. to bad it's not on wordpress.org anymore. anyone know why?
You must log in to post.
