Security News > 2020 > December > 5M WordPress Sites Running ‘Contact Form 7’ Plugin Open to Attack

5M WordPress Sites Running ‘Contact Form 7’ Plugin Open to Attack
2020-12-17 22:27

A patch for the popular WordPress plugin called Contact Form 7 was released Thursday.

The patch comes in the form of a 5.3.2 version update to the Contact Form 7 plugin.

The WordPress utility is active on 5 million websites with a majority of those sites running version 5.3.1 or older of the Contact Form 7 plugin.

The bug hunter credited for identifying the flaw, Jinson Varghese, wrote that the vulnerability allows an unauthenticated user to bypass any form file-type restrictions in Contact Form 7 and upload an executable binary to a site running the plugin version 5.3.1 or earlier.

"For users who have automatic updates on for WordPress plugin the software will automatically update. For others, they indeed will be required to proactively update," he told Threatpost.


News URL

https://threatpost.com/contact-form-7-plugin-bug/162383/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Wordpress 7 2 95 44 18 159
Plugin 2 0 13 1 0 14