5M Sites Running WordPress ‘Contact Form 7’ Plugin Open to Attack

A critical unrestricted file upload bug in Contact Form 7 allows an unauthenticated visitor to take over a site running the plugin.

Note: As of 18th December 2020 we have patched all hosted sites on our platform against the vulnerability.

A patch for the popular WordPress plugin called Contact Form 7 was released Thursday. It fixes a critical bug that allows an unauthenticated adversary to takeover a website running the plugin or possibly hijack the entire server hosting the site. The patch comes in the form of a 5.3.2 version update to the Contact Form 7 plugin.

The WordPress utility is active on 5 million websites with a majority of those sites (70 percent) running version 5.3.1 or older of the Contact Form 7 plugin.

Quick Fix

“The plugin developer (Takayuki Miyoshi) was quick to fix the vulnerability, realizing its critical nature. We communicated back and forth trying to release the update as soon as possible to prevent any exploitation. An update fixing the issue has already been released, in version 5.3.2,”

To keep perspective on the bug, web analytics firm Netcraft estimates there are 455 million websites using the WordPress platform right now. That suggests 1.09 percent of WordPress sites could be vulnerable to attack via this flaw.