Plugin inspection:

Contact Form 7

No issues found

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

We didn't find anything worrying in this plugin. It's probably safe. Read more about this recommendation.


This recommendation applies to version 3.4.2 of this plugin, but the most recent version is 5.9.7. These findings may no longer be correct.


This plugin generates forms which can have file attachments, allowing unauthenticated users to uploaded files to the web server which are placed in a known location.

The plugin uses .htaccess files to prevent direct access to uploaded files. This may not work in hardened environments where .htaccess parsing is disabled.

Combined with local file inclusion vulnerability, this plugin’s functionality would aid an attack, albeit with quite a narrow timing window.

Generally, the plugin also seems to have a lot of code to do what it does, but no other issues were found and the plugin is not vulnerable in its default/expected configuration.