Vulnerabilities and security researches forcontact-form-7 contact-form-7

Apr 16, 2025

CVE, Research URL: CVE-2025-3247
Home page URL: Security reports for Contact Form 7
Application: Contact Form 7
Date: Apr 16, 2025
Research Description: The Contact Form 7 plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 6.0.5 via the 'wpcf7_stripe_skip_spam_check' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order.
Affected versions: max 6.0.6.
Status: vulnerable

Jul 24, 2024

PSC, Research URL: PSC-2024-64507
Home page URL: Security reports for Contact Form 7
Application: Contact Form 7
Date: Apr 10, 2025
Research Description: Contact Form 7 plugin, one of the most popular contact form plugins for WordPress, has reached a new milestone in security. The latest version, 6.1.4, has successfully passed the Plugin Security Certification (PSC) conducted by CleanTalk, ensuring that users can enjoy enhanced security features along with the plugin’s robust functionality.
Affected versions: Min 6.1.4, max 6.1.4.
Status: SAFE & CERTIFIED

Jun 29, 2024

CVE, Research URL: CVE-2024-4704
Home page URL: Security reports for Contact Form 7
Application: Contact Form 7
Date: Jun 27, 2024
Research Description: The Contact Form 7 WordPress plugin before 5.9.5 has an open redirect that allows an attacker to utilize a false URL and redirect to the URL of their choosing.
Affected versions: max 5.9.5.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2014-2265
Home page URL: Security reports for Contact Form 7
Application: Contact Form 7
Date: Mar 14, 2014
Research Description: Rock Lobster Contact Form 7 before 3.7.2 allows remote attackers to bypass the CAPTCHA protection mechanism and submit arbitrary form data by omitting the _wpcf7_captcha_challenge_captcha-719 parameter.
Affected versions: max 5.0.4.
Status: vulnerable

CVE, Research URL: CVE-2018-20979
Home page URL: Security reports for Contact Form 7
Application: Contact Form 7
Date: Aug 22, 2019
Research Description: The contact-form-7 plugin before 5.0.4 for WordPress has privilege escalation because of capability_type mishandling in register_post_type.
Affected versions: max 5.0.4.
Status: vulnerable

CVE, Research URL: CVE-2024-2242
Home page URL: Security reports for Contact Form 7
Application: Contact Form 7
Date: Mar 14, 2024
Research Description: The Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘active-tab’ parameter in all versions up to, and including, 5.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: max 5.9.2.
Status: vulnerable

CVE, Research URL: CVE-2023-6449
Home page URL: Security reports for Contact Form 7
Application: Contact Form 7
Date: Dec 01, 2023
Research Description: The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'validate' function and insufficient blocklisting on the 'wpcf7_antiscript_file_name' function in versions up to, and including, 5.8.3. This makes it possible for authenticated attackers with editor-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed in most cases. By default, the file will be deleted from the server immediately. However, in some cases, other plugins may make it possible for the file to live on the server longer. This can make remote code execution possible when combined with another vulnerability, such as local file inclusion.
Affected versions: max 5.8.4.
Status: vulnerable

CVE, Research URL: CVE-2020-35489
Home page URL: Security reports for Contact Form 7
Application: Contact Form 7
Date: Dec 18, 2020
Research Description: The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.
Affected versions: max 5.3.2.
Status: vulnerable