Support » Plugin: Contact Form 7 » SQL Injection Problem with Contact Form 7?

  • Resolved jodamo5

    (@jodamo5)



    A number of sites we run that have Contact Form 7 on have been hit with nasty SQL injection in the last month. We’re trying to identify where the injection is happening and found this article from about 7 weeks ago talking about SQL injection in Contact Form 7: https://www.pluginvulnerabilities.com/2017/06/08/vulnerability-details-sql-injection-vulnerability-in-save-contact-form-7/

    Any of our sites that have Gravity Forms installed instead have not been hit, which makes us think that Contact Form 7 might be the problem.

    Are you aware of the vulnerability that is listed on that site? And is there an update coming out to fix it? Hopefully you can identify what needs to be fixed. Thanks.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Vulnerabilities

    (@pluginvulnerabilities)

    The post you are linking to, which is from our website, relates to a vulnerability that had previously been in the plugin Save Contact Form 7, not Contact Form 7.

    If a website has been hacked through a plugin there should be evidence in log file(s) of HTTP activity, so that is what you would want to be reviewing to determine the source of the hack.

    jodamo5

    (@jodamo5)

    Thanks for your reply and clarification. With 5 million installs it is good to know that the SQL injection vulnerability wasn’t with Contact Form 7 itself. We’ll have to dig deeper to try to identify how the code was injected throughout the site.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘SQL Injection Problem with Contact Form 7?’ is closed to new replies.