Title: SQL Injection Problem with Contact Form 7?
Last modified: August 31, 2017

---

# SQL Injection Problem with Contact Form 7?

 *  Resolved [jodamo5](https://wordpress.org/support/users/jodamo5/)
 * (@jodamo5)
 * [8 years, 9 months ago](https://wordpress.org/support/topic/sql-injection-problem-with-contact-form-7/)
 * A number of sites we run that have Contact Form 7 on have been hit with nasty
   SQL injection in the last month. We’re trying to identify where the injection
   is happening and found this article from about 7 weeks ago talking about SQL 
   injection in Contact Form 7: [https://www.pluginvulnerabilities.com/2017/06/08/vulnerability-details-sql-injection-vulnerability-in-save-contact-form-7/](https://www.pluginvulnerabilities.com/2017/06/08/vulnerability-details-sql-injection-vulnerability-in-save-contact-form-7/)
 * Any of our sites that have Gravity Forms installed instead have not been hit,
   which makes us think that Contact Form 7 might be the problem.
 * Are you aware of the vulnerability that is listed on that site? And is there 
   an update coming out to fix it? Hopefully you can identify what needs to be fixed.
   Thanks.

Viewing 2 replies - 1 through 2 (of 2 total)

 *  [pluginvulnerabilities](https://wordpress.org/support/users/pluginvulnerabilities/)
 * (@pluginvulnerabilities)
 * [8 years, 9 months ago](https://wordpress.org/support/topic/sql-injection-problem-with-contact-form-7/#post-9459160)
 * The post you are linking to, which is from our website, relates to a vulnerability
   that had previously been in the plugin Save Contact Form 7, not Contact Form 
   7.
 * If a website has been hacked through a plugin there should be evidence in log
   file(s) of HTTP activity, so that is what you would want to be reviewing to determine
   the source of the hack.
 *  Thread Starter [jodamo5](https://wordpress.org/support/users/jodamo5/)
 * (@jodamo5)
 * [8 years, 9 months ago](https://wordpress.org/support/topic/sql-injection-problem-with-contact-form-7/#post-9459346)
 * Thanks for your reply and clarification. With 5 million installs it is good to
   know that the SQL injection vulnerability wasn’t with Contact Form 7 itself. 
   We’ll have to dig deeper to try to identify how the code was injected throughout
   the site.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘SQL Injection Problem with Contact Form 7?’ is closed to new replies.

 * ![](https://ps.w.org/contact-form-7/assets/icon.svg?rev=2339255)
 * [Contact Form 7](https://wordpress.org/plugins/contact-form-7/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/contact-form-7/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/contact-form-7/)
 * [Active Topics](https://wordpress.org/support/plugin/contact-form-7/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/contact-form-7/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/contact-form-7/reviews/)

 * 2 replies
 * 2 participants
 * Last reply from: [jodamo5](https://wordpress.org/support/users/jodamo5/)
 * Last activity: [8 years, 9 months ago](https://wordpress.org/support/topic/sql-injection-problem-with-contact-form-7/#post-9459346)
 * Status: resolved