It was possible for certain key-value pairs found in URL queries to not be properly encoded. The introduction of the ‘wpcf7_build_query()’ function in this patch ensured that all key-value pairs would be properly URL encoded.
This vulnerability affects the following application versions:
- Contact Form 7 3.3.1
- Contact Form 7 3.3.2
- Contact Form 7 3.3.3
- Contact Form 7 3.4
- Contact Form 7 3.4.1
- Contact Form 7 3.4.2
- Contact Form 7 3.5
- Contact Form 7 3.5.1
- Contact Form 7 3.5.2
- Contact Form 7 3.5.3
- Contact Form 7 3.5.4
- Contact Form 7 3.6
- Contact Form 7 3.7
- Contact Form 7 3.7.1
- Contact Form 7 3.7.2
- Contact Form 7 3.8
- Contact Form 7 3.8.1
- Contact Form 7 3.9
- Contact Form 7 3.9.1
- Contact Form 7 3.9.2
- Contact Form 7 3.9.3
- Contact Form 7 3.9-beta
- Contact Form 7 4.0
- Contact Form 7 4.0.1