Vulnerability in CF7 - all versions

A vulnerability has been discovered in CF7 which affects all versions of the plugin. As mentioned here, only versions of CF7 up to 5.1.9 are compatible with ClassicPress, which means that we cannot upgrade to the patched version (5.3.2).

However, the fix is simple. In file includes/formatting.php, find function wpcf7_antiscript_file_name() and replace:

$filename = basename( $filename );

with

$filename = wp_basename( $filename );
$filename = preg_replace( '/[\pC\pZ]+/i', '', $filename );

Full details here:

https://contactform7.com/2020/12/17/contact-form-7-532/#more-38314

5 Likes

Thanks for the notification on that one; I’ve patched my sites.

I had been aware that CF7 wasn’t supported on CP any more, but not got round to doing anything about it yet.

Is Fluent Forms the replacement people are using? Or is there a simpler alternative?

I’m still using CF7 version 5.1.9. It does everything I need in most cases.

I haven’t used Fluent Forms so I can’t comment on that one.

We may consider forking CF7 if there’s sufficient interest but if anyone has any other suggestions, I’d be glad to hear them.

I am using wp forms free version.
Still works.
But I like CF7 better, so I was thinking to go back to it.
Thanks for sharing the patch.

I’ve always hated CF7 and have always replaced it whenever I take over the management of a site. Previously I would replace it with Formidable Forms free version, but these days I replace with Fluent Forms (free or pro as appropriate).

2 Likes

And (as far as I know) Fluent Forms has committed to supporting CP, so sounds like a good alternative.

On a few sites Smart Forms working very well. It supports even WP 3.3, so, I hope, support of WP 4.9 will not be dropped soon.