Exploiting this Vulnerability
Utilizing this vulnerability, a logged-in user in the Contributor role can potentially edit contact forms, which only Administrator and Editor-role users are allowed to access by default. This issue has been reported by Simon Scannell from RIPS Technologies.
Fixing This Vulnerability
- Update your version of Contact Form 7 to the Latest Version
- The Updated versions of Contact Form 7 5.0.4 and higher will restrict the local file attachment feature. More particularly, you will no longer be able to specify an absolute file path that refers to a file placed outside the wp-content directory.
- Upload Local File Attachments inside the wp-content directory using the wp-media uploader, and specify its URL with relative or absolute file paths, so all you need to change is the location of the attachment files.
Requires: WordPress 4.8 or higher
Tested up to: WordPress 4.9.8