The popular Contact Form 7 plugin released an urgent update to patch a major security vulernability on December 17th. This is version 5.3.2 of the plugin. This vulnerability impacts over 5 million WordPress websites and is considered an urgent, critical, fix.

“Contact Form 7 5.3.2 has been released. This is an urgent security and maintenance release. We strongly encourage you to update to it immediately.” – Takayuki Miyoshi

The security vulnerability being fixed is known as an “unrestricted file upload vulnerability” which allows attackers to bypass file sanitization in the plugin and upload files that can be executed on the server, potentially causing major damage to a website. The vulnerability was found by Jinson Varghese Behanan of the Astra Security team. The update to fix this issue according to Contact Form 7 included:

“Removes control, separator, and other types of special characters from filename to fix the unrestricted file upload vulnerability issue.” There are other updates included in this new version of the plugin, see that full list here: https://github.com/takayukister/contact-form-7/compare/v5.3.1…v5.3.2 Source: Contact Form 7 Announcement