Support » Plugin: Contact Form 7 » Contact Form 7 REST API

Viewing 10 replies - 1 through 10 (of 10 total)
  • If you have a backup of your website from before the update to CF7 4.8 then use FTP to transfer CF7 4.7 plugin to overwrite the CF7 4.8. That will restore the plugin to the working version. Hope this made sense.

    Who wants to return to 4.7 version, can download the package from here

    https://it.wordpress.org/plugins/contact-form-7/advanced/

    Section “Previous versions” 😉

    I´ve noticed that on Google Chrome the version 4.8 isn´t compatible with the “Disable REST API” plugin. Right now, I´d deactivated the plugin and will continue my tests with the version 4.7 and an activated “Disabled REST API” soon.
    Funny to say that it works on Firefox – but I have no clue why it happens.

    The fastest way I found to downgrade to CF7 4.7–much quicker than FTP–is to use File Manager in cPanel to upload the zip file for CF7 4.7 to the /wp-content/plugins directory, delete the old contact-form-7 folder, extract the zip file, then delete the zip file. Clearing the cache is a good idea if you’re using a caching plugin. Using File Manager to do the downgrade took less than a minute, whereas uploading the unzipped files was taking quite a while for me, and I had a bunch of sites to do.

    By the way, I tested CF7 4.7 on an install of WordPress 4.8 and it worked fine without any errors.

    Is there any update available? It isn’t a solution to open the REST API to anonymous user.

    Is there any further info on this? I can’t find anyone else saying contact-form-7 4.8 is vulnerble but…

    I was hacked recently – shell sript on my server. Looking through the logs, the attacker basically went:

    “GET / HTTP/1.1” 200
    “GET /contact-us/contact-form/ HTTP/1.1” 200 6728
    “POST /wp-json/contact-form-7/v1/contact-forms/{id}/feedback HTTP/1.1” 200 114
    “GET /wp-admin HTTP/1.1″ 301 250 ”
    “POST /wp-login.php HTTP/1.1”

    And in they went to cause mayhem.

    Could this vulnerability be used for sql injection? Somehow they got in to the wp-admin with a username and password and the homepage and contact page were the only ones they visited beforehand.

    We disable the WP API using https://wordpress.org/plugins/disable-json-api/ too, and the 4.8 update broke Contact Form 7. There needs to be a toggle to disable it and get back to the old version.

    • This reply was modified 2 years, 6 months ago by archon810.

    I left a suggestion for the author of https://wordpress.org/plugins/disable-json-api/ to enable whitelisting API endpoints so we could get the two plugins to work together here: https://wordpress.org/support/topic/restrict-plug-in-use-of-rest-api/#post-9396702. Chime in there if you’d like it to happen.

    Edi

    (@psychosopher)

    Still no answer from the author?

    In my opinion the plugin has to be deleted from the repository.

    I read a lot of Topics here with the same problem. I have just tested the actual version 4.9, which were do not working too.

    For those where looking for an easy way to roll back to an earlier version (4.7) looking at this plugin: https://wordpress.org/plugins/wp-rollback/

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Contact Form 7 REST API’ is closed to new replies.