WordPress: vulnerability in plugin “contact form 7 style” permanently flying

WordPress: Vulnerability in Plugin'contact form 7 style' dauerhaft ungefixt'contact form 7 style' dauerhaft ungefixt

The makers of the security plugins wordfence for the CMS wordpress have a vulnerability "high"-classification (CVSS score 8.8) in the plugin "contact form 7 style" discovered. It affects all versions of the plugin and can allow attackers to inject harmful javascript codes in WP websites in which it runs. Prerequisite, however, is that the attacker brings a user-registered user to carry out a specific interaction (clicking a special link or annex).

"Contact form 7 style" run according to wordfence on over 50.000 wordpress websites. The plugin is used to add more styles to forms created with the plugin contact form 7 and thus optically adapt it. It thus forms an assessment to the million subject installed "contact form 7", which comes from another developer and is not expressly affected by the vulnerability.

WordPress: Vulnerability in Plugin'contact form 7 style' dauerhaft ungefixt'contact form 7 style' dauerhaft ungefixt

To this plugin, which forms an order for the known contact form 7 (E), it works.

Disable and remove urgent advisable

According to own information, the wordfence team informs the developers of the vulnerable plugin already in early december on the weakness of the weakness. After they did not react, it turned directly to the wordpress team in january, which has snapped the developers again 30 days to update the code. After nothing is done, wordpress has "contact form 7 style" last week before, completely removed from the official plugin repository.

In view of the fact that the plugin is obviously no longer maintained and developed and developers have not responded to inquiries for almost two months, rat wordfence in his blog entry to the vulnerability to remove it from wordpress and to look after alternatives.