SQL Injection Problem with Contact Form 7? | ww.wp.xz.cn

Resolved jodamo5
(@jodamo5)

8 years, 9 months ago

A number of sites we run that have Contact Form 7 on have been hit with nasty SQL injection in the last month. We’re trying to identify where the injection is happening and found this article from about 7 weeks ago talking about SQL injection in Contact Form 7: https://www.pluginvulnerabilities.com/2017/06/08/vulnerability-details-sql-injection-vulnerability-in-save-contact-form-7/

Any of our sites that have Gravity Forms installed instead have not been hit, which makes us think that Contact Form 7 might be the problem.

Are you aware of the vulnerability that is listed on that site? And is there an update coming out to fix it? Hopefully you can identify what needs to be fixed. Thanks.

Viewing 2 replies - 1 through 2 (of 2 total)

pluginvulnerabilities
(@pluginvulnerabilities)

8 years, 9 months ago

The post you are linking to, which is from our website, relates to a vulnerability that had previously been in the plugin Save Contact Form 7, not Contact Form 7.

If a website has been hacked through a plugin there should be evidence in log file(s) of HTTP activity, so that is what you would want to be reviewing to determine the source of the hack.

Thread Starter jodamo5
(@jodamo5)

8 years, 9 months ago

Thanks for your reply and clarification. With 5 million installs it is good to know that the SQL injection vulnerability wasn’t with Contact Form 7 itself. We’ll have to dig deeper to try to identify how the code was injected throughout the site.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘SQL Injection Problem with Contact Form 7?’ is closed to new replies.

2 replies
2 participants
Last reply from: jodamo5
Last activity: 8 years, 9 months ago
Status: resolved