In the messages tab in a contact form editor screen, messages could be created that Contact Form 7 displays in different situations. Allowing HTML in a message can be a security risk, and as such, only plain text is allowed. This patch forcibly strips all HTML tags and entities from these messages.

This vulnerability affects the following application versions:

  • Contact Form 7 3.6
  • Contact Form 7 3.7
  • Contact Form 7 3.7.1
  • Contact Form 7 3.7.2
  • Contact Form 7 3.8
  • Contact Form 7 3.8.1
  • Contact Form 7 3.9
  • Contact Form 7 3.9.1
  • Contact Form 7 3.9.2
  • Contact Form 7 3.9.3
  • Contact Form 7 3.9-beta
  • Contact Form 7 4.0
  • Contact Form 7 4.0.1
  • Contact Form 7 4.0.2
  • Contact Form 7 4.0.3
  • Contact Form 7 4.1
  • Contact Form 7 4.1.1
  • Contact Form 7 4.1.2
  • Contact Form 7 4.1-beta
  • Contact Form 7 4.2
  • Contact Form 7 4.2.1
  • Contact Form 7 4.2.2
  • Contact Form 7 4.2-beta
  • Contact Form 7 4.3
  • Contact Form 7 4.3.1

Skriv et svar

Din e-mailadresse vil ikke blive publiceret. Krævede felter er markeret med *