WordPress Contact Form Entries Bug Puts 70K Sites at Risk. Did You Patch?

WordPress Contact Form Entries Plugin Vulnerability Affects 70K Websites

Wordfence Threat Intelligence published an Wordfence advisory detailing an unauthenticated PHP object injection vulnerability in this plugin. Attackers do not need to be logged in. In environments where Contact Form 7 is installed, a POP chain during deserialization can enable arbitrary file deletion. Deleting wp-config.php could cause denial of service or enable remote code execution, per Wordfence. A patch is available in version 1.4.5.

Key details

• Plugin: Database for Contact Form 7, WPForms, Elementor Forms - also known as Contact Form Entries.
• Function: Stores contact form submissions in WordPress, with viewing, search, and export tools.
• Installations: Over 70,000.
• Vulnerability type: Unauthenticated PHP object injection.
• Affected versions: All versions up to and including 1.4.3.
• Fixed version: 1.4.5.
• Exploit conditions: No authentication required.
• Dependency interaction: Presence of Contact Form 7 can enable a POP chain during deserialization.
• Impact: Arbitrary file deletion is possible and may lead to denial of service or remote code execution if wp-config.php is deleted.
• Source: Wordfence advisory.

Background

The Database for Contact Form 7, WPForms, Elementor Forms plugin saves entries from popular form builders into the WordPress database. It supports viewing, searching, marking submissions as read or unread, and exporting. Wordfence notes the risk increases when Contact Form 7 is present due to an available POP chain.

What to do

• Update the plugin to version 1.4.5 as soon as possible.
• Confirm the update applied successfully and the site is running the fixed version.
• If you cannot update immediately, consider disabling the plugin until a patch is applied.
• Review the Wordfence advisory for technical details.

Source citations

• Wordfence advisory
• Contact Form 7 - official WordPress plugin page