The Wordfence Threat Intelligence team announced that they have discovered a Cross-Site Request Forgery to Stored Cross Site Scripting vulnerability in Contact Form 7 Style. The WordPress plugin is currently installed on over 50,000 sites. It is a separate plugin from “Contact Form 7” and is designed as an add-on to that plugin.
Wordfence also announced that they contacted both the developer and the WordPress Plugins team, however, the developer didn’t respond or patched the vulnerability since the 9th of December. Thus, the plugin is removed from the repository due to lack of response.
“We strongly recommend deactivating and removing the Contact Form 7 Style plugin and finding a replacement, as it appears this plugin won’t be patched in the foreseeable future. If you must keep the plugin installed on your site until you find a replacement, and you are running the Wordfence Web Application Firewall, then you can rest assured that your site will be protected against any exploits targeting this vulnerability while searching for a replacement.
Due to the number of sites affected by this plugin’s closure, we are intentionally providing minimal details about this vulnerability to provide users ample time to find an alternative solution. We may provide additional details later as we continue to monitor the situation.”