What is Contact Form 7?

By our estimation, Contact Form 7 is the most widely used form plugin for WordPress and one of the most popular plugins for the platform in general. While we switched contact form plugins years ago, it’s one that we still see installed on sites all the time.

For a free plugin, it is packed with useful features that make it easy to customize and an ideal one-size-fits-all plugin for most sites. The plugin even has free integrations for tools like Google reCaptcha and even a CMS like Constant Contact.

What is wrong?

One of those extra bells and whistles that the plugin comes with allows users to upload a file to your server. Like any plugin, the process works by uploading a temporary file to the server and then a permanent version once the form is officially submitted.

Unfortunately, it was discovered that any version of the plugin below version 5.3.2 utilizes a process that didn’t properly sanitize the name of the file before committing it to the server. This means that someone could upload a file with code that grants them access to your site, automatically users redirects to their site, or even worse.

Luckily, the developers did the correct thing in addressing this issue once it came to their attention and were forthright in notifying people that they need to patch the plugin immediately! Of course, this also means that hackers and bots are now aware of this exploit and are using it to attack any site that hasn’t already upgraded. If your site is running v5.3.1 or an earlier version of Contact Form, we recommend updating to v5.3.2 or higher immediately!