Support » Plugins » Contact Form 7 Security Vulnerability

  • Mark Jaquith, a lead developer on the WordPress project, mentioned on Twitter that the plugin – Contact Form 7 – is being exploited. Users are advised to uninstall it until a fix is in place.

    Don’t want to cause a panic but it is a popular plugin and the word needs to get out.

Viewing 15 replies - 1 through 15 (of 16 total)
  • I am the developer of Contact Form 7 plugin. I have been informed about the issue from Mark Jaquith. It’s not yet confirmed that the issue was really caused by Contact Form 7’s vulnerability, so do not panic, please.

    I’m investigating the codes and no vulnerability have been found for now. Anyway I’ll update the plugin and improve security more. It will be released soon.

    Thanks for the update takayukister.

    Jeff Chandler


    Volunteer Moderator and Voice of WP

    I’ve got a post about this warning people this morning at 7AM. This issue sounds pretty serious but I’ll definitely update the post and point people to here to get more updates. Thanks for looking into it Taka.

    Thanks for looking into this takayukister 🙂

    I’m deactivating the plugin right now but hopefully we’ll get confirmation shortly that everything is fine with the plugin.

    @takayukister – Sorry I had gotten confirmation last night that your plugin – Contact Form 7 – was causing us to get security hacks into our server. This was confirmed by the server techs. I do hope that you’re able to find and fix the security issues as I was using the plugin as well. I had planned to install it into 3 other websites be cause it did work great but I will have to wait and see what security upgrades will be installed in the future – Contact Form 7 – Thank you.

    I wanted to add one more note and observation about your plugin – Contact Form 7 – was the securities issue didn’t seem to arise until your latest plugin update in March 22? I believe. So I hope that helps to narrow down the problem. Thank you.

    flicksandfood, could you send mail to me about the detail of the issue you have seen, please? takayukister at is my address. Thanks.

    I just released Contact Form 7 1.9.5. This should fix the reported issue. Upgrading is highly recommended.

    Takayukister – I installed the upgrade via WP Dashboard plugins automatic upgrade and it messed up my page with a big PHP error!

    This appeared at the top of my page:

    Warning: opendir(/home/riavon/public_html/content/wp-content/uploads/wpcf7_uploads/) [function.opendir]: failed to open dir: No such file or directory in /home/riavon/public_html/content/wp-content/plugins/contact-form-7/wp-contact-form-7.php on line 1558

    I had to deactivate your plugin, now. 🙁

    Riavon, I’m sorry. That’s my mistake. I fixed it and released as v1.9.5.1, try it again, please.

    @takayukister – was the issue isolated to version 1.9.4? I’m using and wondering if I need to upgrade. Thanks!

    @gullage – I wouldn’t upgrade. If yours is working fine right now then don’t until we all know for sure the issue has been fixed.

    @takayukister – I was told that someone should have already contacted you about it. Thank you.

    gullage, as I wrote in the mail to you, I also recommend users using older versions of the plugin to upgrade it to be safe.

    @takayukister: everything seems fine here! 😀

    Ok, so is Contact Form 7 safe to use now? I seem to remember seeing a post about issues with IE, not a security issue though.

Viewing 15 replies - 1 through 15 (of 16 total)
  • The topic ‘Contact Form 7 Security Vulnerability’ is closed to new replies.