Security News > 2020 > December > WordPress plugin with 5 million installs has a critical vulnerability
The team behind a popular WordPress plugin has disclosed a critical file upload vulnerability and issued a patch.
The vulnerable plugin, Contact Form 7, has over 5 million active installs making this urgent upgrade a necessity for WordPress site owners out there.
Unrestricted file upload. This week, Contact Form 7 project has disclosed an unrestricted file upload vulnerability in the WordPress plugin that can allow an attacker to bypass Contact Form 7's filename sanitization protections when uploading files.
"Seeing the criticality of the vulnerability and the number of WordPress websites using this popular plugin, we quickly reported the vulnerability. The developer was even quicker in issuing a fix. Kudos to the Contact Form 7 team for leading by example," Behanan told BleepingComputer.
Last month, Drupal sites were found to have a double extension file upload vulnerability.
News URL
Related news
- Unpatched critical flaws impact Fancy Product Designer WordPress plugin (source)
- Critical zero-days impact premium WordPress real estate plugins (source)
- Cisco fixes ClamAV vulnerability with available PoC and critical Meeting Management flaw (source)
- Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891) (source)
- Microsoft Patches Critical Azure AI Face Service Vulnerability with CVSS 9.9 Score (source)