Is there any further info on this? I can’t find anyone else saying contact-form-7 4.8 is vulnerble but…
I was hacked recently – shell sript on my server. Looking through the logs, the attacker basically went:
“GET / HTTP/1.1” 200
“GET /contact-us/contact-form/ HTTP/1.1” 200 6728
“POST /wp-json/contact-form-7/v1/contact-forms/{id}/feedback HTTP/1.1” 200 114
“GET /wp-admin HTTP/1.1″ 301 250 ”
“POST /wp-login.php HTTP/1.1”
And in they went to cause mayhem.
Could this vulnerability be used for sql injection? Somehow they got in to the wp-admin with a username and password and the homepage and contact page were the only ones they visited beforehand.
