A serious vulnerability was found in the popular Contact Form 7 plugin for WordPress and the plugin needs to be updated immediately. The author of the plugin released a security bug fix on 12/17/20. The latest version of the CF7 plugin is 5.3.2. The security issue is mitigated by updating the plugin to the most recent version. IDP web hosting customers do not need to stress about this issue. Our managed WordPress hosting includes WP updates and security bug fixes. Details from the plugin author can be found here:
The security vulnerability would allow the hacker to upload a malicious file thru the file upload feature available in Contact Form 7 that allows users to upload a file on a submit form. The critical issue is classified as an unrestricted file upload bug. The vulnerability could allow the attacker to deface the website, take control of the website or possibly take control of the web server. More details about the security issue can be found here:
Contact Form 7 Plugin Usage
Contact Form 7 is hugely popular. At IDP we install and setup contact form 7 on every website we build. The CF7 plugin is quick and easy to use when developing submit forms for websites. We highly recommend this plugin to build WordPress contact forms. The author has addressed the issue quickly and we will continue to use Contact Form 7.