Security News > 2020 > December > WordPress plugin with 5 million installs has a critical vulnerability
The team behind a popular WordPress plugin has disclosed a critical file upload vulnerability and issued a patch.
The vulnerable plugin, Contact Form 7, has over 5 million active installs making this urgent upgrade a necessity for WordPress site owners out there.
Unrestricted file upload. This week, Contact Form 7 project has disclosed an unrestricted file upload vulnerability in the WordPress plugin that can allow an attacker to bypass Contact Form 7's filename sanitization protections when uploading files.
"Seeing the criticality of the vulnerability and the number of WordPress websites using this popular plugin, we quickly reported the vulnerability. The developer was even quicker in issuing a fix. Kudos to the Contact Form 7 team for leading by example," Behanan told BleepingComputer.
Last month, Drupal sites were found to have a double extension file upload vulnerability.
News URL
Related news
- CISA Warns of Critical Jenkins Vulnerability Exploited in Ransomware Attacks (source)
- GiveWP WordPress Plugin Vulnerability Puts 100,000+ Websites at Risk (source)
- Microsoft Patches Critical Copilot Studio Vulnerability Exposing Sensitive Data (source)
- Critical Flaw in WordPress LiteSpeed Cache Plugin Allows Hackers Admin Access (source)
- SonicWall Issues Critical Patch for Firewall Vulnerability Allowing Unauthorized Access (source)
- Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution (source)
- Critical Fortra FileCatalyst Workflow vulnerability patched (CVE-2024-6633) (source)
- Apache fixes critical OFBiz remote code execution vulnerability (source)
- Critical Security Flaw Found in LiteSpeed Cache Plugin for WordPress (source)
- Apache OFBiz team patches critical RCE vulnerability (CVE-2024-45195) (source)