Security News > 2021 > February > Unpatched WordPress Plugin Code-Injection Bug Afflicts 50K Sites
A security bug in Contact Form 7 Style, a WordPress plugin installed on over 50,000 sites, could allow for malicious JavaScript injection on a victim website.
The latest WordPress plugin security vulnerability is a cross-site request forgery to stored cross-site scripting problem in Contact Form 7 Style, which is an add-on to the well-known Contact Form 7 umbrella plugin.
WordPress removed the plugin from the WordPress plugin repository on Feb. 1.
Since the number of installed instances for the plugin is so high, Due to the number of sites affected by this plugin's closure, we are intentionally providing minimal details about this vulnerability to provide users ample time to find an alternative solution.
Wordfence notified the plugin's developer about the bug in early December; after receiving no response, the researchers then escalated the issue to the WordPress Plugins team in early January.
The WordPress Plugins team also contacted the developer with no response, leading to the disclosure this week.
News URL
https://threatpost.com/unpatched-wordpress-plugin-code-injection/163706/