Just another contact form plugin. Simple but flexible.
Contact Form 7 är ett av WordPress mest populära kontaktformulär-tillägg med över 10 miljoner aktiva installationer. Tillägget är enkelt att använda och erbjuder flexibel anpassning av kontaktformulär för webbplatser.
Tillägget har totalt 42 dokumenterade sårbarheter, varav 4 klassas som kritiska och 7 som höga. Den senaste kända sårbarheten rapporterades i maj 2024, vilket visar att säkerhetsövervakning fortfarande är relevant för detta tillägg.
Trots det höga antalet sårbarheter behöver detta sättas i perspektiv. De flesta säkerhetsproblem har åtgärdats genom uppdateringar, och tilläggets stora användarbas innebär att säkerhetsbrister upptäcks och rapporteras snabbt. De kritiska sårbarheterna kan potentiellt utnyttjas för att komma åt känslig information eller manipulera webbplatsen.
Regelbundna uppdateringar är det viktigaste skyddet mot kända säkerhetshot och bör prioriteras högt i ditt WordPress-underhåll.
Kör ett gratis test och se om din hemsida är påverkad av dessa sårbarheter.
Påverkade versioner: <= 6.0.5
Påverkade versioner: all
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping. This makes it possible...
Påverkade versioner: all
The Send PDF for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of form submissions due to a missing capability check on the hooks function in all versions up to, and including, 1.0.2.3. This makes it possible for unauthenti...
Påverkade versioner: all
The Advanced Form Integration – Connect WooCommerce and Contact Form 7 to Google Sheets and other platforms plugin for WordPress is vulnerable to SQL Injection via the ‘integration_id’ parameter in all versions up to, and including, 1.82.0 due to ins...
Påverkade versioner: < 5.9.2
The Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘active-tab’ parameter in all versions up to, and including, 5.9 due to insufficient input sanitization and output escaping. This makes it possible for un...
Påverkade versioner: all
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output es...
Påverkade versioner: < 2.2
The Easy PayPal & Stripe Buy Now Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.3 and in Contact Form 7 – PayPal & Stripe Add-on all versions up to, and including 2.1. This is due to...
Påverkade versioner: <= 1.1.1
The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the zt_dcfcf_change_status() function in all versions up to, and including, 1.1.1. This makes...
Påverkade versioner: <= 1.1.1
The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to SQL Injection via the 'form-id' parameter in all versions up to, and including, 1.1.1 due to insufficient escaping on the user supplied parameter and lack of suffici...
Påverkade versioner: <= 1.1.1
The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the settings update function. This ma...
Påverkade versioner: <= 1.1.1
The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the zt_dcfcf_change_bookmark() function in all versions up to, and including, 1.1.1. This make...
Påverkade versioner: < 1.2.3
The Contact Form 7 Connector WordPress plugin before 1.2.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against administrators.
Påverkade versioner: <= 4.1.0
The Contact Form 7 – Dynamic Text Extension plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the CF7_get_custom_field and CF7_get_current_user shortcodes due to missing validation...
Påverkade versioner: < 3.0
The Autocomplete Location field Contact Form 7 WordPress plugin before 3.0, autocomplete-location-field-contact-form-7-pro WordPress plugin before 2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as a...
Påverkade versioner: <= 1.0.1
The BSK Contact Form 7 Blacklist WordPress plugin through 1.0.1 does not sanitise and escape the inserted_count parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege us...
Påverkade versioner: < 5.8.4
The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'validate' function and insufficient blocklisting on the 'wpcf7_antiscript_file_name' function in versions up to, and incl...
Påverkade versioner: <= 1.3.7.3
The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it...
Påverkade versioner: < 3.1.29
The Ultimate Addons for Contact Form 7 WordPress plugin before 3.1.29 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as...
Påverkade versioner: < 3.1.29
The Ultimate Addons for Contact Form 7 WordPress plugin before 3.1.29 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html...
Påverkade versioner: <= 3.2
The Contact Form 7 Style plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2. This is due to missing or incorrect nonce validation on the manage_wp_posts_be_qe_save_post() function. This makes it pos...
Påverkade versioner: < 1.2.4
The Integration for Contact Form 7 and Zoho CRM, Bigin WordPress plugin before 1.2.4 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin
Påverkade versioner: <= 3.1.23
The Ultimate Addons for Contact Form 7 plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in versions up to, and including, 3.1.23. This makes it possible for authenticated attackers of any authorization level to append additi...
Påverkade versioner: < 2.11.1
The Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard WordPress plugin before 2.11.1 and Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations WordPress plugin before 5.0.6.4 do not sanitise and escap...
Påverkade versioner: < 1.1.6
The Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks WordPress plugin before 1.1.6 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blo...
Påverkade versioner: < 5.0.6.3
A vulnerability was found in Drag and Drop Multiple File Upload Contact Form 7 5.0.6.1 on WordPress. It has been classified as critical. Affected is an unknown function of the file admin-ajax.php. The manipulation of the argument upload_name leads to...
Påverkade versioner: < 0.9.9.2
The Send PDF for Contact Form 7 WordPress plugin before 0.9.9.2 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-S...
Påverkade versioner: < 1.2.6.5
The Contact Form 7 Database Addon WordPress plugin before 1.2.6.5 does not validate data when output it back in a CSV file, which could lead to CSV injection
Påverkade versioner: < 0.1.2
The Contact Form 7 Captcha WordPress plugin before 0.1.2 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers
Påverkade versioner: < 5.3
The Jquery Validation For Contact Form 7 WordPress plugin before 5.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change Blog options like default_role, users_can_register via a C...
Påverkade versioner: <= 1.8.7
Persistent Cross-Site Scripting (XSS) vulnerability in Vsourz Digital's Advanced Contact form 7 DB plugin <= 1.8.7 at WordPress.
Påverkade versioner: <= 2.6.4
The Material Design for Contact Form 7 WordPress plugin through 2.6.4 does not check authorization or that the option mentioned in the notice param belongs to the plugin when processing requests to the cf7md_dismiss_notice action, allowing any logged...
Påverkade versioner: < 1.8.7
The Advanced Contact form 7 DB WordPress plugin before 1.8.7 does not have authorisation nor CSRF checks in the acf7_db_edit_scr_file_delete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to delete arbitrar...
Påverkade versioner: < 2.1.2
The IDPay for Contact Form 7 WordPress plugin through 2.1.2 does not sanitise and escape the idpay_error parameter before outputting it back in the page leading to a Reflected Cross-Site Scripting
Påverkade versioner: < 2.5.1
The Skins for Contact Form 7 WordPress plugin before 2.5.1 does not sanitise and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
Påverkade versioner: < 1.2.6.1
Cross-Site Request Forgery (CSRF) vulnerability discovered in Contact Form 7 Database Addon – CFDB7 WordPress plugin (versions <= 1.2.5.9).
Påverkade versioner: <= 1.2.6.1
Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered in Contact Form 7 Database Addon – CFDB7 WordPress plugin (versions <= 1.2.6.1).
Påverkade versioner: < 0.0.9
The Contact Form 7 Captcha WordPress plugin before 0.0.9 does not have any CSRF check in place when saving its settings, allowing attacker to make a logged in user with the manage_options change them. Furthermore, the settings are not escaped when ou...
Påverkade versioner: <= 3.1.9
Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a request to inject malicious JavaScript on a site using the Contact Form 7 Style WordPress plugin through 3.1.9. If an attacker successfu...
Påverkade versioner: < 5.3.2
The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.
Påverkade versioner: <= 2.6.0
Stored XSS in the Contact Form 7 Datepicker plugin through 2.6.0 for WordPress allows authenticated attackers with minimal permissions to save arbitrary JavaScript to the plugin's settings via the unprotected wp_ajax_cf7dp_save_settings AJAX action a...
Påverkade versioner: <= 2.10.32
CSV Injection vulnerability in ExportToCsvUtf8.php of the Contact Form 7 to Database Extension plugin 2.10.32 for WordPress allows remote attackers to inject spreadsheet formulas into CSV files via the contact form.
Påverkade versioner: all
The Clockwork SMS clockwork-test-message.php component has XSS via a crafted "to" parameter in a clockwork-test-message request to wp-admin/admin.php. This component code is found in the following WordPress plugins: Clockwork Free and Paid SMS Notifi...
Påverkade versioner: all
Multiple cross-site scripting (XSS) vulnerabilities in includes/toAdmin.php in Contact Form 7 Integrations plugin 1.0 through 1.3.10 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) uE or (2) uC parameter.
Sårbarheter i tillägg är den vanligaste attackytan för WordPress-sajter. Det bästa skyddet är att vara proaktiv — här är tre konkreta steg.
De flesta sårbarheter i Contact Form 7 åtgärdas snabbt av utvecklarna. Uppdatera alltid till senaste versionen.
Varje tillägg är en potentiell attackyta. Avinstallera det du inte aktivt använder.
Med löpande övervakning upptäcker du problem innan de blir allvarliga.
Vill du slippa hålla koll själv? Med ett supportavtal från Sitesupport sköter vi uppdateringar och säkerhet åt dig.
Kör ett gratis test och se hur din sajt presterar inom SEO, säkerhet, prestanda och tillgänglighet — på under en minut.
Testa gratisInget konto krävs