Contact Form 7 Vulnerability in +5 Million Sites

A vulnerability has been discovered in Contact Form 7 that allows an attacker to upload malicious scripts. The publishers of Contact Form 7 have released an update to fix the vulnerability.

Unrestricted File Upload Vulnerability

An unrestricted file upload vulnerability in a WordPress plugin is when the plugin allows an attacker to upload a web shell (malicious script) that can then be used to take over a site, tamper with a database and so on.

A web shell is a malicious script that can be written in any web language that is uploaded to a vulnerable site, automatically processed and used to…

More Info

5M WordPress Sites Running the Contact Form 7 Plugin are Open to Attack – Threatpost

A critical unrestricted file upload bug in Contact Form 7 allows an unauthenticated visitor to take over a site running the plugin.

A patch for the popular WordPress plugin called Contact Form 7 was released Thursday and fixes a critical bug that allows an unauthenticated adversary to takeover a website running the plugin or possibly hijack the entire server hosting the site. The patch comes in the form of a 5.3.2 version update to the Contact Form 7 plugin.

The WordPress utility is active on five million websites with a majority of…

More Info

Help Steer the Future of WordPress via the FSE Outreach Program – WordPress Tavern

All hands on deck. 2021 will be the year of the Site Editor.

Anne McCarthy announced the official start of the Full-Site Editing (FSE) Outreach Program last Friday on the Make Core blog. The program is primarily geared toward end-users. With few channels for average users to communicate with the development team, this offers an opportunity for them to provide direct feedback.

This announcement comes on the heels of Matias Ventura’s full overview of the FSE project. In the post, he laid out where specific FSE features currently stand and what needs to happen to bring the project…

More Info

WordPress plugin with 5 million installs has a critical vulnerability

The team behind a popular WordPress plugin has disclosed a critical file upload vulnerability and issued a patch.

The vulnerable plugin, Contact Form 7, has over 5 million active installs making this urgent upgrade a necessity for WordPress site owners out there.

Unrestricted file upload

This week, Contact Form 7 project has disclosed an unrestricted file upload vulnerability (CVE pending) in the WordPress plugin that can allow an attacker to bypass Contact Form 7’s filename sanitization protections when uploading files.

An attacker can upload a crafted file with arbitrary code…

More Info

WordPress Redux Plugin Vulnerability Affects +1 Million Sites

Redux, a popular WordPress plugin with more than 1 million active installations recently patched a vulnerability. The vulnerability allowed an attacker to bypass security measures in a Cross-Site Request Forgery (CSRF) attack.

Cross-Site Request Forgery

A Cross-Site Request Forgery (CSRF) attack is a method where an attacker exploits a vulnerability in the code that allows them to perform actions on a website. This kind of attack exploits the credentials of an authenticated user.

The U.S. Department of Commerce defines CSRF like this:

“A type of Web exploit where an unauthorized party causes…

More Info

Learn WordPress site launched – To help people learn its CMS

To increase its popularity and the diversity within the CMS, WordPress has launched a new platform called Learn WordPress. Considering that a wonderful community has always had WordPress’s back, Learn WordPress will be a fantastic place where upcoming enthusiasts can access workshops, quizzes, courses, and even lesson plans.

Learn WordPress site launched

As you can guess, this website would be preparing tech enthusiasts to create the best content for the WordPress CMS, not just in terms of core development but also themes, extensions, and more.

The Learn WordPress team aims to…

More Info

Learn WordPress Platform Launches with Free Courses, Workshops, and Lesson Plans – WordPress Tavern has officially launched its new “Learn WordPress” platform, a free educational resource that includes courses, workshops, quizzes, lesson plans, and discussion groups. The material spans the spectrum of WordPress experience from beginners to advanced, and and allows users to learn asynchronously at their own pace. After a successful beta launch in August, the platform is now ready for the public.

Traditionally, most WordPress learning opportunities have been in-person at WordCamps and local meetups. Since large gatherings have been put on pause this year due to…

More Info

Record and Track Past Events With the LifePress Calendar Plugin – WordPress Tavern

Two weeks ago, Ashan Jay released LifePress to the WordPress plugin directory. It is an interactive, front-end calendar for tracking past events — a journal of sorts. For a version 1.0 launch, it has enough features with just the right touch of simplicity to show promise.

This is not Jay’s first rodeo when it comes to calendar-based plugins. He is also the creator of EventON, a virtual event calendar for WordPress.

The goal of the plugin is simple. As its description reads, “LifePress is a calendar based journal recorder that will allow you to track back progress and review…

More Info

What are WordPress plugins? – Security Boulevard

If you are new to WordPress, you might be wondering what are WordPress plugins and what’s their purpose.

It’s a reasonably common question to ask because plugins are an important part of the WordPress ecosystem. They are essential if you want to build a website with WordPress.

In this article, we explain what WordPress plugins are, what’s their purpose on a website, and how they work. Then, we’ll give you a few tips on how to add plugins to your site and manage them correctly.

Let’s dive right in!

Table of content

What are WordPress plugins?

WordPress is a very basic blogging and…

More Info

G2 Components, a From-Scratch Reimagining of WordPress Components – WordPress Tavern

Update some of the things.

That was the goal that Jon Quach, a Principal Designer at Automattic, laid out in the roadmap for integrating the G2 Components project into Gutenberg and, eventually, core WordPress. The project is a reimagining of the pieces that make the block editor, a “from-scratch” overhaul of the component system. Updating all of the things or even many of the things at once runs the risk of breaking everything.

“Ideally, what should happen is you should update just some of the things in a very controlled and intentional manner,” wrote Quach in the post….

More Info