WordPress Plugin Vulnerability Report – Contact Form 7 – Authenticated (Editor+) Arbitrary File Upload – CVE-2023-6449

Plugin Name: Contact Form 7

Key Information:

  • Software Type: Plugin
  • Software Slug: contact-form-7
  • Software Status: Active
  • Software Author: takayukister
  • Software Downloads: 299,048,263
  • Active Installs: 5,000,000
  • Last Updated: November 30, 2023
  • Patched Versions: 5.8.4
  • Affected Versions: <= 5.8.3

Vulnerability Details:

  • Name: Contact Form 7 <= 5.8.3 - Authenticated (Editor+) Arbitrary File Upload
  • Title: Authenticated (Editor+) Arbitrary File Upload
  • Type: Unrestricted Upload of File with Dangerous Type
  • CVE: CVE-2023-6449
  • CVSS Score: 6.6 (Medium)
  • Publicly Published: November 30, 2023
  • Researcher: István Márton
  • Description: The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'validate' function and insufficient blocklisting on the 'wpcf7_antiscript_file_name' function in versions up to, and including, 5.8.3. This makes it possible for authenticated attackers with editor-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed in most cases. By default, the file will be deleted from the server immediately. However, in some cases, other plugins may make it possible for the file to live on the server longer. This can make remote code execution possible when combined with another vulnerability, such as local file inclusion.


The Contact Form 7 for WordPress has a vulnerability in versions up to and including 5.8.3 that allows authenticated users with Editor+ level access to upload arbitrary files. This vulnerability has been patched in version 5.8.4.

Detailed Overview:

István Márton discovered an insufficient file type validation vulnerability in the 'validate' function of Contact Form 7 versions up to and including 5.8.3. Additionally, there is insufficient blocklisting in the 'wpcf7_antiscript_file_name' function. Together, these vulnerabilities allow users authenticated as an Editor or above to upload arbitrary files to the affected WordPress site's server.

By default, uploaded files would be immediately deleted from the server due to standard .htaccess configurations. However, if the vulnerable Contact Form 7 is used alongside other plugins with vulnerabilities like local file inclusion, it may enable longer file persistence and remote code execution.

Users should update immediately to Contact Form 7 version 5.8.4, which patches this vulnerability by improving server-side file validation and uploading security.

Advice for Users:

  1. Immediate Action: Update to Contact Form 7 version 5.8.4 as soon as possible.
  2. Check for Signs of Vulnerability: Review your file system for any unexpected files uploaded through Contact Form 7 forms.
  3. Alternate Plugins: Consider alternative contact form plugins like Ninja Forms or Gravity Forms.
  4. Stay Updated: Routinely check that plugins are updated and install security plugins like Wordfence to get notifications.


The quick update from Contact Form 7 to address this authenticated arbitrary file upload vulnerability shows the importance of rapid patching. Users should install version 5.8.4 immediately to secure WordPress sites.




Detailed Report:

WordPress powers over 43% of all websites, making it an obvious target for hackers seeking vulnerabilities. Unfortunately, a serious flaw was recently discovered in a widely used WordPress plugin, Contact Form 7, that leaves over 5 million websites at risk. In this post, we’ll provide the key details you need to know to protect your website.

The Contact Form 7 Plugin

Contact Form 7 is one of the most popular WordPress contact form plugins, used on millions of sites. It allows easy creation of email contact forms without needing code. The plugin has over 299 million downloads and 5 million active installs, highlighting the immense scope of this vulnerability's impact.

The Vulnerability Explained

Security researcher István Márton recently discovered an insufficient file type validation vulnerability in certain Contact Form 7 versions. Additionally, there is insufficient blocklisting of dangerous file types being uploaded.

Together, these flaws enable editors and administrators logged into a site to upload arbitrary malicious files to the WordPress server, including potential malware. By default, these unauthorized files would get automatically deleted from servers. However, they may persist longer if Contact Form 7 is paired with another vulnerable plugin enabling future remote code execution attacks.

What’s the Risk?

The mere ability for editor-level users or higher to upload unchecked files poses massive risks:

  • Injection of malware, viruses, or ransomware
  • Interception of admin/user credentials or site data
  • Defacing/corrupting of site files stored locally
  • Potential site hijacking if paired with other vulnerabilities

How to Update & Fix

The good news is Contact Form 7 developers have already patched this critical arbitrary file upload flaw in version 5.8.4.

To fix, simply visit your WordPress dashboard → Plugins and check your installed Contact Form 7 version. If it's older than 5.8.4, update immediately by clicking “Update Now.”

Ongoing Security Upkeep

While this vulnerability has been addressed, websites must remain vigilant against emerging threats by:

  • Enabling auto background updates
  • Reviewing plugins/themes monthly
  • Restricting unused user roles’ capabilities
  • Adding security plugins like Wordfence

The Importance of Updates

This flaw represents the 5th publicized vulnerability found in Contact Form 7 over the years. The risks of outdated software cannot be overstated in 2023’s threat landscape. Hackers are constantly probing popular platforms like WordPress for ways to launch attacks.

Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.

Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.

WordPress Plugin Vulnerability Report – Contact Form 7 – Authenticated (Editor+) Arbitrary File Upload – CVE-2023-6449 FAQs

Leave a Comment