If the file upload functionality is not used then this plugin is probably safe to use.

The file uploading functionality attempts to protect the user from uploading executable code by modifying the filename if it matches a blacklist of executable file types – e.g .php (using the “wpcf7_antiscript_file_name” function). This will not be effective for executable file types not on the blacklist and could be bypassed if a local file inclusion vulnerability was present in the system.

The function “wpcf7_init_uploads” attempts to deny access to the file upload temporary directory by writing a rule into htaccess. This will be effective for a majority of users, but not for those who are not using apache, or who have disabled htaccess.

In the WPCF7_Submission class, the whole $_POST data object is saved to the class and it is difficult to check what happens to this data afterwards.

Several factors significantly impacted the tester’s ability to understand what the code is doing:

• Frequent long and unwieldy functions (over 100 lines)
• Lack of clear commenting to explain complex functionality

The plugin appears not to be vulnerable, but could interact with another component in such a way as to become vulnerable:

Sites with a contact form which allows file upload could be at vulnerable to attacks because of the risk of local file inclusion vulnerabilities in other plugins, or server configurations which allow certain file types to be executed.

If a site does not allow file upload, this plugin is probably safe to use.