Contact Form 7 Archives - Standoutmedia A/S

Improper validation of integrity check in order replay vulnerability

Skrevet den 5. juni 202518. oktober 2025 af i Contact Form 7

Due to insufficient validation of a user-controlled key in the `wpcf7_stripe_skip_spam_check` function, unauthenticated attackers can reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed through Stripe, but the plugin sends a success email message for each transaction, potentially tricking an administrator into fulfilling each order.

This vulnerability affects the following application versions:

Invalid redirect vai the action_url

Skrevet den 11. juni 202418. oktober 2025 af i Contact Form 7

Employing wpcf7_form_action_url filter to lead form submitters to a different site is not the intended use, and can constitute a security risk.

This vulnerability affects the following application versions:

Contact Form 7 5.9
Contact Form 7 5.9.2
Contact Form 7 5.9.3
Contact Form 7 5.9.4

Validate input on request parameter active-tab.

Skrevet den 28. marts 202418. oktober 2025 af i Contact Form 7

Converts request parameter active-tab to integer or defaults it to 0.

This vulnerability affects the following application versions:

Contact Form 7 5.9

XSS in formatting

Skrevet den 19. februar 202418. oktober 2025 af i Contact Form 7

The input variable is casted to string before sanitizing to prevent xss attacks.

This vulnerability affects the following application versions:

Inadequate filename validation and sanitization

Skrevet den 1. december 202318. oktober 2025 af i Contact Form 7

Insufficient validation and sanitization of filenames during the upload process create a vulnerability, paving the way for possible exploitation through file manipulation.

This vulnerability affects the following application versions:

XSS in the mail component

Skrevet den 1. maj 202318. oktober 2025 af i Contact Form 7

The mail component of the ContactForm 7 is not properly escaped against an XSS attack.

This vulnerability affects the following application versions:

XSS in form and mail body

Skrevet den 16. november 202118. oktober 2025 af i Contact Form 7

Form and email body aren’t correctly escaped for HTML which can lead to XSS.

This vulnerability affects the following application versions:

XSS in unit tag

Skrevet den 16. november 202118. oktober 2025 af i Contact Form 7

Unit tag in setup meta data isn’t properly escaped and can lead to XSS.

This vulnerability affects the following application versions:

Contact Form 7 5.2
Contact Form 7 5.2.1
Contact Form 7 5.2.2
Contact Form 7 5.3
Contact Form 7 5.3.1
Contact Form 7 5.3.2
Contact Form 7 5.4
Contact Form 7 5.4.1
Contact Form 7 5.4.2

Unrestricted file upload vulnerability

Skrevet den 18. december 202018. oktober 2025 af i Contact Form 7

Utilizing this vulnerability, a form submitter could bypass Contact Form 7’s filename sanitization, and upload a file which could be executed as a script file on the host server.

This vulnerability affects the following application versions:

User input validation to avoid data manipulation

Skrevet den 9. juni 202018. oktober 2025 af i Contact Form 7

User input validation: Strictly compares to boolean _false_.

This vulnerability affects the following application versions:

Introduces the file path check

Skrevet den 27. november 201818. oktober 2025 af i Contact Form 7

Introduces wpcf7_is_file_path_in_content_dir() to support the use of the UPLOADS constant.

This vulnerability affects the following application versions:

Contact Form 7 4.7
Contact Form 7 4.8
Contact Form 7 4.8.1
Contact Form 7 4.9
Contact Form 7 4.9.1
Contact Form 7 4.9.2
Contact Form 7 5.0
Contact Form 7 5.0.1
Contact Form 7 5.0.2
Contact Form 7 5.0.3
Contact Form 7 5.0.4

Ignore local file attachment when the file is out of WP_CONTENT_DIR

Skrevet den 7. november 201820. november 2024 af i Contact Form 7

Prior to this patch, it was possible to attach a local file to a contact form upload under certain circumstances, even if the file was outside of the /wp-content/ directory. This patch updates the upload capabilities so it no longer possible to attach a local file that is outside of the /wp-content/ directory.

This vulnerability affects the following application versions:

Use wp_rand() instead of mt_rand() for CAPTCHA file name generation to make it harder for attackers to predict its next value

Skrevet den 5. november 201818. oktober 2025 af i Contact Form 7

The CAPTCHA system made use of the internal PHP random function mt_rand() when determining which CAPTCHA to phrases to present. With this new improvement, the CAPTCHA system instead makes use of the WordPress-specific wp_rand() function, which utilizes different randomization algorithms, making the CAPTCHA system much harder to predict.

This vulnerability affects the following application versions:

Contact Form 7 3.6
Contact Form 7 3.7
Contact Form 7 3.7.1
Contact Form 7 3.7.2
Contact Form 7 3.8
Contact Form 7 3.8.1
Contact Form 7 3.9
Contact Form 7 3.9.1
Contact Form 7 3.9.2
Contact Form 7 3.9.3
Contact Form 7 3.9-beta
Contact Form 7 4.0
Contact Form 7 4.0.1
Contact Form 7 4.0.2
Contact Form 7 4.0.3
Contact Form 7 4.1
Contact Form 7 4.1-beta

Clear $phpmailer->AltBody to avoid unintended inheritance from previous wp_mail() calls

Skrevet den 5. november 201820. november 2024 af i Contact Form 7

Since the wp_mail() function doesn’t clear the $phpmailer->AltBody attribute and uses the same $phpmailer object repetitively, it is necessary to clear any data that may have been stored in the attribute from previous wp_mail() calls.

This vulnerability affects the following application versions:

Contact Form 7 4.4
Contact Form 7 4.4.1
Contact Form 7 4.4.2
Contact Form 7 4.5
Contact Form 7 4.5.1
Contact Form 7 4.6
Contact Form 7 4.6.1
Contact Form 7 4.7
Contact Form 7 4.8

Properly remove uploaded files with permissions issues on Windows / IIS servers

Skrevet den 5. november 201818. oktober 2025 af i Contact Form 7

Due to the way some IIS-based servers check permissions on files and directories, it was possible for some uploaded files to not be removed properly under certain circumstances. This patch altered the way Contact Form 7 deletes uploaded files to account for those specific IIS-based configurations.

This vulnerability affects the following application versions:

Contact Form 7 3.6
Contact Form 7 3.7
Contact Form 7 3.7.1
Contact Form 7 3.7.2
Contact Form 7 3.8
Contact Form 7 3.8.1
Contact Form 7 3.9
Contact Form 7 3.9.1
Contact Form 7 3.9.2
Contact Form 7 3.9.3
Contact Form 7 3.9-beta
Contact Form 7 4.0
Contact Form 7 4.0.1
Contact Form 7 4.0.2
Contact Form 7 4.0.3
Contact Form 7 4.1
Contact Form 7 4.1.1
Contact Form 7 4.1.2
Contact Form 7 4.1-beta
Contact Form 7 4.2
Contact Form 7 4.2.1
Contact Form 7 4.2.2
Contact Form 7 4.2-beta
Contact Form 7 4.3
Contact Form 7 4.3.1
Contact Form 7 4.4
Contact Form 7 4.4.1
Contact Form 7 4.4.2

Sanitize contact form titles

Skrevet den 5. november 201818. oktober 2025 af i Contact Form 7

The title attribute of contact forms were not being thoroughly sanitized. Additional filtering measures have been implemented in this patch.

This vulnerability affects the following application versions:

HTML is not allowed in messages

Skrevet den 5. november 201820. november 2024 af i Contact Form 7

In the messages tab in a contact form editor screen, messages could be created that Contact Form 7 displays in different situations. Allowing HTML in a message can be a security risk, and as such, only plain text is allowed. This patch forcibly strips all HTML tags and entities from these messages.

This vulnerability affects the following application versions:

Contact Form 7 3.6
Contact Form 7 3.7
Contact Form 7 3.7.1
Contact Form 7 3.7.2
Contact Form 7 3.8
Contact Form 7 3.8.1
Contact Form 7 3.9
Contact Form 7 3.9.1
Contact Form 7 3.9.2
Contact Form 7 3.9.3
Contact Form 7 3.9-beta
Contact Form 7 4.0
Contact Form 7 4.0.1
Contact Form 7 4.0.2
Contact Form 7 4.0.3
Contact Form 7 4.1
Contact Form 7 4.1.1
Contact Form 7 4.1.2
Contact Form 7 4.1-beta
Contact Form 7 4.2
Contact Form 7 4.2.1
Contact Form 7 4.2.2
Contact Form 7 4.2-beta
Contact Form 7 4.3
Contact Form 7 4.3.1

Create_function() removed to avoid security risks

Skrevet den 5. november 201820. november 2024 af i Contact Form 7

Avoid using create_function(). The create_function() has a security risk like eval() does, and PHP 7.2 will warn you if the function is used.

This vulnerability affects the following application versions:

Properly escape particular URL displayed inside the admin page

Skrevet den 5. november 201818. oktober 2025 af i Contact Form 7

Inside the Admin Panel, an internal URL was not being properly escaped. This patch uses the esc_url() function to properly escape the URL.

This vulnerability affects the following application versions:

Contact Form 7 4.4
Contact Form 7 4.4.1
Contact Form 7 4.4.2
Contact Form 7 4.5
Contact Form 7 4.5.1
Contact Form 7 4.6
Contact Form 7 4.6.1
Contact Form 7 4.7
Contact Form 7 4.8
Contact Form 7 4.8.1
Contact Form 7 4.9
Contact Form 7 4.9.1
Contact Form 7 4.9.2
Contact Form 7 5.0
Contact Form 7 5.0.1
Contact Form 7 5.0.2
Contact Form 7 5.0.3

Specifies the capability_type argument explicitly in the register_post_type() call

Skrevet den 5. november 201818. oktober 2025 af i Contact Form 7

A privilege escalation vulnerability had been closed by explicitly specifying the ‘capability_type’ argument in the register_post_type() function call.

This vulnerability affects the following application versions:

Added a random-named directory to each uploaded file’s temporary file path

Skrevet den 5. november 201820. november 2024 af i Contact Form 7

Temporary upload directories were not randomly named, and could potentially be guessed by an attacker. This enhancement introduced randomly named directories to the temporary upload file path, making it significantly more difficult to guess the temporary path.

This vulnerability affects the following application versions:

Contact Form 7 3.6
Contact Form 7 3.7
Contact Form 7 3.7.1
Contact Form 7 3.7.2
Contact Form 7 3.8
Contact Form 7 3.8.1
Contact Form 7 3.9
Contact Form 7 3.9.1
Contact Form 7 3.9-beta

Allowed bypassing CAPTCHA validation when submitting form data

Skrevet den 5. november 201820. november 2024 af i Contact Form 7

It was possible for a user to bypass CAPTCHA validation under certain circumstances while submitting form data. This was unintentional, and the bypass has been fixed.

This vulnerability affects the following application versions:

Contact Form 7 3.6
Contact Form 7 3.7
Contact Form 7 3.7.1

Fixed some URL outputs that used esc_url_raw in places where esc_url should have been used

Skrevet den 5. november 201820. november 2024 af i Contact Form 7

Certain sections of the codebase utilized the esc_url_raw() function where the esc_url() function should have been used instead. Potentially leading to unsanitized output.

This vulnerability affects the following application versions:

Contact Form 7 3.6
Contact Form 7 3.7
Contact Form 7 3.7.1
Contact Form 7 3.7.2
Contact Form 7 3.8

Introduced wpcf7_build_query() to correctly apply urlencode to keys and values in URL queries

Skrevet den 5. november 201818. oktober 2025 af i Contact Form 7

It was possible for certain key-value pairs found in URL queries to not be properly encoded. The introduction of the ‘wpcf7_build_query()’ function in this patch ensured that all key-value pairs would be properly URL encoded.

This vulnerability affects the following application versions:

Contact Form 7 3.3.1
Contact Form 7 3.3.2
Contact Form 7 3.3.3
Contact Form 7 3.4
Contact Form 7 3.4.1
Contact Form 7 3.4.2
Contact Form 7 3.5
Contact Form 7 3.5.1
Contact Form 7 3.5.2
Contact Form 7 3.5.3
Contact Form 7 3.5.4
Contact Form 7 3.6
Contact Form 7 3.7
Contact Form 7 3.7.1
Contact Form 7 3.7.2
Contact Form 7 3.8
Contact Form 7 3.8.1
Contact Form 7 3.9
Contact Form 7 3.9.1
Contact Form 7 3.9.2
Contact Form 7 3.9.3
Contact Form 7 3.9-beta
Contact Form 7 4.0
Contact Form 7 4.0.1

Introduced WPCF7_Submission::sanitize_posted_data()

Skrevet den 5. november 201818. oktober 2025 af i Contact Form 7

A new feature was introduced that allowed data submitted through a form to be sanitized as a whole. This consolidates and simplifies the process of data input sanitization as part of the data submission process.

This vulnerability affects the following application versions:

Contact Form 7 3.6
Contact Form 7 3.7
Contact Form 7 3.7.1
Contact Form 7 3.7.2
Contact Form 7 3.8
Contact Form 7 3.8.1
Contact Form 7 3.9
Contact Form 7 3.9.1
Contact Form 7 3.9.2
Contact Form 7 3.9.3
Contact Form 7 3.9-beta
Contact Form 7 4.0
Contact Form 7 4.0.1
Contact Form 7 4.0.2
Contact Form 7 4.0.3

Introduce WPCF7_ShortcodeManager::sanitize_tag_type()

Skrevet den 5. november 201818. oktober 2025 af i Contact Form 7

A new feature was introduced that allows for tag types to be properly sanitized.

This vulnerability affects the following application versions:

Contact Form 7 3.5.1
Contact Form 7 3.5.2
Contact Form 7 3.5.3
Contact Form 7 3.5.4
Contact Form 7 3.6
Contact Form 7 3.7
Contact Form 7 3.7.1
Contact Form 7 3.7.2
Contact Form 7 3.8
Contact Form 7 3.8.1
Contact Form 7 3.9
Contact Form 7 3.9.1
Contact Form 7 3.9.2
Contact Form 7 3.9.3
Contact Form 7 3.9-beta
Contact Form 7 4.0
Contact Form 7 4.0.1
Contact Form 7 4.0.2
Contact Form 7 4.0.3

Saved submitter’s contact info even when the submission was spam

Skrevet den 5. november 201818. oktober 2025 af i Contact Form 7

If the Flamingo Plugin was installed alongside Contact Form 7 in order to save submitted forms to the database, then Flamingo would still save the data even when a submission was flagged as spam. With this change, spammy data is no longer saved to the database.

This vulnerability affects the following application versions:

Contact Form 7 3.6
Contact Form 7 3.7
Contact Form 7 3.7.1
Contact Form 7 3.7.2
Contact Form 7 3.8
Contact Form 7 3.8.1
Contact Form 7 3.9
Contact Form 7 3.9.1
Contact Form 7 3.9-beta

Om os

Standoutmedia er et webbureau dedikeret til WordPress platformen.
Vi driver egne hostingløsninger, hvor tusindvis af kunder hver dag modtager sikkerhedsopdateringer.

Læs mere om os her: https://standoutmedia.dk/