Security News > 2020 > December > WordPress plugin with 5 million installs has a critical vulnerability
The team behind a popular WordPress plugin has disclosed a critical file upload vulnerability and issued a patch.
The vulnerable plugin, Contact Form 7, has over 5 million active installs making this urgent upgrade a necessity for WordPress site owners out there.
Unrestricted file upload. This week, Contact Form 7 project has disclosed an unrestricted file upload vulnerability in the WordPress plugin that can allow an attacker to bypass Contact Form 7's filename sanitization protections when uploading files.
"Seeing the criticality of the vulnerability and the number of WordPress websites using this popular plugin, we quickly reported the vulnerability. The developer was even quicker in issuing a fix. Kudos to the Contact Form 7 team for leading by example," Behanan told BleepingComputer.
Last month, Drupal sites were found to have a double extension file upload vulnerability.
News URL
Related news
- Urgent: Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites (source)
- Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519) (source)
- Apple Releases Critical iOS and iPadOS Updates to Fix VoiceOver Password Vulnerability (source)
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- Experts Warn of Critical Unpatched Vulnerability in Linear eMerge E3 Systems (source)
- New Critical GitLab Vulnerability Could Allow Arbitrary CI/CD Pipeline Execution (source)
- Critical Veeam Vulnerability Exploited to Spread Akira and Fog Ransomware (source)
- WordPress Plugin Jetpack Patches Major Vulnerability Affecting 27 Million Sites (source)
- Critical Kubernetes Image Builder Vulnerability Exposes Nodes to Root Access Risk (source)
- Fortinet releases patches for undisclosed critical FortiManager vulnerability (source)