A vulnerability has been discovered in CF7 which affects all versions of the plugin. As mentioned here, only versions of CF7 up to 5.1.9 are compatible with ClassicPress, which means that we cannot upgrade to the patched version (5.3.2).
However, the fix is simple. In file
includes/formatting.php, find function
wpcf7_antiscript_file_name() and replace:
$filename = basename( $filename );
$filename = wp_basename( $filename ); $filename = preg_replace( '/[\pC\pZ]+/i', '', $filename );
Full details here: