Plugin inspection:

Contact Form 7

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.


This recommendation applies to version 4.0.3 of this plugin, but the most recent version is 5.9.4. These findings may no longer be correct.


If the file upload functionality is not used then this plugin is probably safe to use.

The file uploading functionality attempts to protect the user from uploading executable code by modifying the filename if it matches a blacklist of executable file types – e.g .php (using the “wpcf7_antiscript_file_name” function). This will not be effective for executable file types not on the blacklist and could be bypassed if a local file inclusion vulnerability was present in the system.

The function “wpcf7_init_uploads” attempts to deny access to the file upload temporary directory by writing a rule into htaccess. This will be effective for a majority of users, but not for those who are not using apache, or who have disabled htaccess.

In the WPCF7_Submission class, the whole $_POST data object is saved to the class and it is difficult to check what happens to this data afterwards.

Several factors significantly impacted the tester’s ability to understand what the code is doing:

  • Frequent long and unwieldy functions (over 100 lines)
  • Lack of clear commenting to explain complex functionality

Reason for the 'Use with caution' result

The plugin appears not to be vulnerable, but could interact with another component in such a way as to become vulnerable:

Sites with a contact form which allows file upload could be at vulnerable to attacks because of the risk of local file inclusion vulnerabilities in other plugins, or server configurations which allow certain file types to be executed.

If a site does not allow file upload, this plugin is probably safe to use.

Failure criteria

  • Poor coding style
  • Poor architecture
  • Unsafe file or network IO

Read more about our failure criteria.