WP Clinic
Log in Sign up

PLUGIN SECURITY

Is Contact Form 7 safe?

Known vulnerabilities, PHP compatibility and safer alternatives for the Contact Form 7 WordPress plugin — checked against WP Clinic's local security database.

Plugin details

  • Slug: contact-form-7
  • Requires PHP: 7.4+
  • Max supported PHP (analyzed): 8.4

Known vulnerabilities

  • Contact Form 7 [contact-form-7] < 5.3.2 [CVE-2020-35489, Contact Form 7 &lt; 5.3.2 - Unrestricted File Upload, Contact Form 7 <= 5.3.1 - Arbitrary File Upload via Bypass]
  • Contact Form 7 [contact-form-7] < 5.0.4 [CVE-2018-20979, Contact Form 7 &lt;= 5.0.3 - register_post_type() Privilege Escalation, Contact Form 7 <= 5.0.3 - Authorization Bypass]
  • Contact Form 7 [contact-form-7] < 3.7.2 [CVE-2014-2265, Contact Form 7 &lt;= 3.7.1 - CAPTCHA Bypass, Contact Form 7 < 3.7.2 - CAPTCHA Bypass]
  • Contact Form 7 [contact-form-7] < 5.3.2 [WordPress Contact Form 7 plugin <= 5.3.1 - Unrestricted File Upload vulnerability]
  • Contact Form 7 [contact-form-7] < 5.0.4 [WordPress Contact Form 7 plugin <= 5.0.3 - Privilege Escalation vulnerability]
+ 7 more known vulnerabilities
  • Contact Form 7 [contact-form-7] < 3.5.3 [WordPress Contact Form 7 Plugin <= 3.5.2 - Remote Code Execution]
  • Contact Form 7 [contact-form-7] < 3.5.3 [Contact Form 7 &lt;= 3.5.2 - File Upload Remote Code Execution]
  • Contact Form 7 [contact-form-7] < 3.5.3 [Contact Form 7 <= 3.5.2 - Arbitrary File Upload]
  • Contact Form 7 [contact-form-7] < 5.8.4 [CVE-2023-6449, Contact Form 7 <= 5.8.3 - Authenticated (Editor+) Arbitrary File Upload, WordPress Contact Form 7 Plugin <= 5.8.3 is vulnerable to Arbitrary File Upload, Contact Form 7 &lt; 5.8.4 - Authenticated (Editor+) Arbitrary File Upload]
  • Contact Form 7 [contact-form-7] < 5.9.2 [CVE-2024-2242, Contact Form 7 <= 5.9 - Reflected Cross-Site Scripting, WordPress Contact Form 7 Plugin <= 5.9 is vulnerable to Cross Site Scripting (XSS), Contact Form 7 &lt; 5.9.2 - Reflected Cross-Site Scripting]
  • Contact Form 7 [contact-form-7] < 5.9.5 [CVE-2024-4704, WordPress Contact Form 7 Plugin < 5.9.5 is vulnerable to Open Redirection, Contact Form 7 <= 5.9.4 - Unauthenticated Open Redirect]
  • Contact Form 7 [contact-form-7] < 6.0.6 [CVE-2025-3247, WordPress Contact Form 7 Plugin <= 6.0.5 is vulnerable to Other Vulnerability Type, Contact Form 7 <= 6.0.5 - Order Replay Vulnerability, EUVD-2025-11473]

Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.

Safer / more established alternatives

Check your own WordPress site

Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.