WordPress.org

Ready to get started?Download WordPress

Forums

Contact Form 7 Security Vulnerability (17 posts)

  1. Len
    Member
    Posted 5 years ago #

    Mark Jaquith, a lead developer on the WordPress project, mentioned on Twitter that the plugin - Contact Form 7 - is being exploited. Users are advised to uninstall it until a fix is in place.

    Don't want to cause a panic but it is a popular plugin and the word needs to get out.

  2. Takayuki Miyoshi
    Member
    Posted 5 years ago #

    I am the developer of Contact Form 7 plugin. I have been informed about the issue from Mark Jaquith. It's not yet confirmed that the issue was really caused by Contact Form 7's vulnerability, so do not panic, please.

    I'm investigating the codes and no vulnerability have been found for now. Anyway I'll update the plugin and improve security more. It will be released soon.

  3. Len
    Member
    Posted 5 years ago #

    Thanks for the update takayukister.

  4. I've got a post about this warning people this morning at 7AM. This issue sounds pretty serious but I'll definitely update the post and point people to here to get more updates. Thanks for looking into it Taka.

  5. Ryan Hellyer
    Member
    Posted 5 years ago #

    Thanks for looking into this takayukister :)

    I'm deactivating the plugin right now but hopefully we'll get confirmation shortly that everything is fine with the plugin.

  6. flicksandfood
    Member
    Posted 5 years ago #

    @takayukister - Sorry I had gotten confirmation last night that your plugin - Contact Form 7 - was causing us to get security hacks into our server. This was confirmed by the server techs. I do hope that you're able to find and fix the security issues as I was using the plugin as well. I had planned to install it into 3 other websites be cause it did work great but I will have to wait and see what security upgrades will be installed in the future - Contact Form 7 - Thank you.

  7. flicksandfood
    Member
    Posted 5 years ago #

    I wanted to add one more note and observation about your plugin - Contact Form 7 - was the securities issue didn't seem to arise until your latest plugin update in March 22? I believe. So I hope that helps to narrow down the problem. Thank you.

  8. Takayuki Miyoshi
    Member
    Posted 5 years ago #

    flicksandfood, could you send mail to me about the detail of the issue you have seen, please? takayukister at gmail.com is my address. Thanks.

  9. Takayuki Miyoshi
    Member
    Posted 5 years ago #

    I just released Contact Form 7 1.9.5. This should fix the reported issue. Upgrading is highly recommended.

  10. Riavon
    Member
    Posted 5 years ago #

    Takayukister - I installed the upgrade via WP Dashboard plugins automatic upgrade and it messed up my page with a big PHP error!

    This appeared at the top of my page:

    Warning: opendir(/home/riavon/public_html/content/wp-content/uploads/wpcf7_uploads/) [function.opendir]: failed to open dir: No such file or directory in /home/riavon/public_html/content/wp-content/plugins/contact-form-7/wp-contact-form-7.php on line 1558

    I had to deactivate your plugin, now. :(

  11. Takayuki Miyoshi
    Member
    Posted 5 years ago #

    Riavon, I'm sorry. That's my mistake. I fixed it and released as v1.9.5.1, try it again, please.

  12. gullage
    Member
    Posted 5 years ago #

    @takayukister - was the issue isolated to version 1.9.4? I'm using 1.9.2.2 and wondering if I need to upgrade. Thanks!

  13. flicksandfood
    Member
    Posted 5 years ago #

    @gullage - I wouldn't upgrade. If yours is working fine right now then don't until we all know for sure the issue has been fixed.

    @takayukister - I was told that someone should have already contacted you about it. Thank you.

  14. Takayuki Miyoshi
    Member
    Posted 5 years ago #

    gullage, as I wrote in the mail to you, I also recommend users using older versions of the plugin to upgrade it to be safe.

  15. ShaneF
    Member
    Posted 5 years ago #

    @takayukister: everything seems fine here! :D

  16. Odinkinder
    Member
    Posted 5 years ago #

    Ok, so is Contact Form 7 safe to use now? I seem to remember seeing a post about issues with IE, not a security issue though.

  17. jp_001
    Member
    Posted 5 years ago #

    ...might want to check out cforms, it's still the de-facto standard. to bad it's not on wordpress.org anymore. anyone know why?

Topic Closed

This topic has been closed to new replies.

About this Topic