Plugin Exploit

Unrestricted File Upload Vulnerability found in Contact Form 7, update immediately (5 million+ sites affected)

Updated on: January 10, 2021

Unrestricted File Upload Vulnerability found in Contact Form 7, update immediately (5 million+ sites affected)

On December 16, 2020, the Astra Security Research team discovered an Unrestricted File Upload vulnerability in Contact Form 7, a WordPress plugin installed on 5 Million+ websites. 

CVE ID: CVE-2020-35489


Contact Form 7 is one of the most popular WordPress plugins that allows its users to add multiple contact forms on their site. The plugin currently has over 5 million active installations. So, any vulnerability in this plugin puts millions of websites at risk of being compromised.

Contact from 7
A video summary explaining the vulnerability & its consequences. Video can be re-used with attribution.

File Upload Vulnerability

Our research team led by Jinson Varghese recently discovered a high-severity Unrestricted File Upload vulnerability in the WordPress plugin Contact Form 7 5.3.1 and older versions. By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website. Further, it allows an attacker to inject malicious content such as web shells into the sites that are using the Contact Form 7 plugin version below 5.3.1 and have file upload enabled on the forms.

The Astra Security Research team initially reached out to Contact Form 7 plugin developers via their support forum on December 16, 2020. After receiving the acknowledgment from the plugin developers, we disclosed the full details about this vulnerability on December 17, 2020. On the same day, a final sufficient patch was released. We highly recommend updating the plugin to its latest version, 5.3.2 as of today, immediately.


Checking the statistics of the plugin, it can be seen that a large number of WordPress websites are still using older versions. We’ve also been getting multiple requests asking for an exploit which has been worrisome. Hence, taking into consideration the millions of websites on older versions and the interest of black hat community, we won’t be releasing a PoC.

Further, we can confirm that WordPress websites not using the upload functionality in Contact Form 7, running the latest version, or using any good security tool are protected from this. We haven’t tracked any active exploitation in the wild until now.

Note: If you are using Astra Security’s firewall & malware scanner, you’re automatically protected out of the box. For an even better & wider coverage we’ll recommend installing Astra Security via this method on your WordPress

Consequences of File Upload Vulnerability in Contact Form 7 (5.3.1 & older versions)

  1. Possible to upload a web shell and inject malicious scripts
  2. Complete takeover of the website & server if there is no containerization between websites on the same server
  3. Defacing the website

Disclosure Timeline

December 16, 2020 – Initial discovery of the Unrestricted File Upload vulnerability
December 16, 2020 – The Astra Security Research reached out to the plugin developers and receives an acknowledgment
December 17, 2020 – We send over full vulnerability disclosure details to the Contact Form 7 team
December 17, 2020 – After fixing up the vulnerability the initial insufficient patch was released
December 17, 2020 – We provided more details about the vulnerability to the plugin developers
December 17, 2020 – The final sufficient patch is released in the plugin version 5.3.2

Special mention to the Contact Form 7 plugin developer, Takayuki Miyoshi, who was quick to respond and address the issue keeping in mind the security of the plugin users.Takayuki was quick to respond, take action and release an update which inspires confidence in Contact Form 7’s commitment to security.


As the cyber threat landscape extends one more step towards the internet disruption, threat actors are actively discovering new techniques to bring down online business on their knees. To protect against such plugin vulnerabilities you need to make sure that you have taken all security measures in place for protecting your site and online business.

If you are using the Contact Form 7 plugin version 5.3.1 and below, it is highly recommended to update this WordPress plugin to its latest version i.e. 5.3.2 (at the time of writing).

For best security practices, you can follow the below guides:

Feel free to comment your queries & we will be happy to answer them 🙂

Was this post helpful?

Tags: , , , , , , , ,

Kanishk Tagade

Kanishk Tagade

Kanishk Tagade is a Marketing Manager at Astra Security. Having a hawk-eyed view on the cybersecurity threat landscape, market-shifts, and hacktivism activities, Kanishk is a community member of the Nasscom and corporate contributor at many technology magazines and security awareness platforms. Editor-in-Chief at "", his work is published in more than 50+ news platforms. He is also a social micro-influencer for the latest cybersecurity defense mechanisms, Digital Transformation, Machine Learning, AI and IoT products.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.


Made with ❤️ in USAFranceIndiaGermany