Category Archives: Security

Avast false alarm again

Today I saw a lot of Contact Form 7 users reporting that the security software they use had detected a Trojan Horse in a script file in the Contact Form 7 package. I scanned the reported file on the WordPress.org plugin directory and found no problem, so I concluded that this is a false alarm.

The security software is provided by Avast Software. According to the reports from users, several other security applications from Avast’s group of companies showed the same alert. Avast is known to have caused a similar false alarm case that happened in 2021.

Warning against the use of vulnerable add-on plugins

You can find so many add-on plugins for Contact Form 7 on the Internet. You might also assume that they have an affiliation with or are certified by the developers of Contact Form 7, but that’s not true. They are third-party products that have nothing to do with the Contact Form 7 project.

We don’t recommend any of them. In reality, some of them are known to have severe security vulnerabilities, so we strongly advise you to avoid using them.

Continue reading Warning against the use of vulnerable add-on plugins

Avast security alert

In the past few hours a lot of Contact Form 7 users have reported that their security tools provided by Avast Software have given a security alert about Contact Form 7. In particular, the alert says it has found a Trojan Horse in one of the script files in the Contact Form 7 package.

I have confirmed no such malware exists in Contact Form 7, so I believe that it is probably a false alarm. So far we haven’t received any information from Avast about this case.

I’ll update this post when there is new information.

Contact Form 7 5.3.2

Contact Form 7 5.3.2 has been released. This is an urgent security and maintenance release. We strongly encourage you to update to it immediately.

An unrestricted file upload vulnerability has been found in Contact Form 7 5.3.1 and older versions. Utilizing this vulnerability, a form submitter can bypass Contact Form 7’s filename sanitization, and upload a file which can be executed as a script file on the host server. This issue has been reported by Jinson Varghese Behanan from Astra Security.

Continue reading Contact Form 7 5.3.2

Heads-up about spreadsheet vulnerabilities

Vulnerabilities affecting spreadsheet applications like Microsoft Excel and OpenOffice Calc have been known to exist for over 5 years, and unfortunately they seem to be still unresolved.

While it is not a vulnerability of WordPress, or its plugins, because there must be so many users of our products who are at risk of these vulnerabilities, and the damage from it could be huge, I think I should write an article here to alert you of the issue.

Continue reading Heads-up about spreadsheet vulnerabilities