Inside the Admin Panel, an internal URL was not being properly escaped. This patch uses the esc_url() function to properly escape the URL.
This vulnerability affects the following application versions:
- Contact Form 7 4.4
- Contact Form 7 4.4.1
- Contact Form 7 4.4.2
- Contact Form 7 4.5
- Contact Form 7 4.5.1
- Contact Form 7 4.6
- Contact Form 7 4.6.1
- Contact Form 7 4.7
- Contact Form 7 4.8
- Contact Form 7 4.8.1
- Contact Form 7 4.9
- Contact Form 7 4.9.1
- Contact Form 7 4.9.2
- Contact Form 7 5.0
- Contact Form 7 5.0.1
- Contact Form 7 5.0.2
- Contact Form 7 5.0.3