Contact Form 7 Vulnerability Puts 5 Million Websites and
15% of Lawyer Websites At Risk

WordPress, one of the most popular content management systems (CMS), powering an estimated 38% of all websites, contains a critical vulnerability in the most popular contact plugin, Contact Form 7.

By conducting an extensive crawl of over 7,500 lawyer websites, SEM Dynamics has determined that approximately 15% of websites in the legal industry are exposed to this vulnerability.


  • An estimated 5 million websites are potentially vulnerable
  • SEM Dynamics scanned 7,564 law firm websites and an estimated 15% (1,164) are vulnerable to the recently disclosed exploit
  • The vulnerability allows hackers to inject malicious code on your website
  • A patch has been released
  • If your law firm's website uses Contact Form 7 on WordPress, you should update to the latest version of Contact Form 7

Why is this especially important for lawyers?

Unlike a smaller blog or local website, lawyers are held to a higher standard. This higher standard is not just an expectation from the general public, but laws may exist, such as HIPPA, that may legally hold a lawyer's website to that higher standard.

Also, because the costs and values attributed to attaining signed clients are much greater than the average business, service interruptions can quickly become more costly.

Imagine paying $200 per click but having your website be knocked offline. Even worse, an attacker can steal the data that is being submitted from potential clients! These exploits can cause direct monetary losses as well as opportunity losses.

Details surrounding the Contact Form 7 vulnerability

The team behind a favorite WordPress plugin has disclosed a critical file upload vulnerability and issued a patch.

The exposed plugin, Contact Form 7, has over 5 million active installs which make this critical upgrade a necessity for all WordPress website owners who use the plugin. 

Jinson Varghese Behanan from Astra Security discovered an unrestricted file upload vulnerability in the popular Contact Form 7 plugin. This WordPress plugin allows users to add multiple contact forms on their website.

The Astra Security Research team initially disclosed to Contact Form 7 plugin developers on December 16, 2020. After getting the acknowledgment from the plugin developers, they revealed the full details relating to this vulnerability on December 17, 2020. On precisely the exact same day, a patch was released.

On December 19 and December 20, SEM Dynamics deployed a website crawler to determine the potential extent of the threat throughout the legal industry. A total of 7,564 lawyer websites were scanned. Of those sites, SEM Dynamics confirmed that 1,164 of the 7,564 websites utilized both WordPress and Contact Form 7. This represents an approximate 15% exposure percentage.

The Astra Security Research team stated,

"By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website."

Asuta Security then continues: 

"Further, it allows an attacker to inject malicious content such as web shells into the sites that are using the Contact Form 7 plugin version below 5.3.1 and have file upload enabled on the forms."

An unrestricted document upload vulnerability in a WordPress plugin is whenever the plugin makes it possible for an attacker to upload a web shell (malicious script) that can subsequently be used to take over a site, tamper with a database, and so on.

A website shell script is a malicious script that can be written in any web language that's uploaded to a vulnerable website, automatically processed, and used to get access, execute orders, tamper with the database, etc.   

The plugin, Contact Form 7, enables users to include multiple contact types on their site but was recently found to contain a severe vulnerability by Astra safety researchers. The vulnerability is being tracked as CVE-2020-35489, plus a patch was contained within the Contact Form 7 5.3.2 update. The Contact Type 7 project has classified the upgrade as "an urgent safety and maintenance release" and advised users to install it immediately.

What should you do if your website uses WordPress and Contact Form 7?

First and foremost, if you are unaware of what CMS or plugins your website uses, it is best to err on the side of caution. Contact whoever handles updating your website, ask that they read this article and follow the recommendations.

First, before making any updates, it is always important to back up your website. WordPress offers several backup plugin solutions. Some hosts have their own backup solution as well.

After a backup is completed, update your website's plugins, specifically Contact Form 7. You want the version of Contact Form 7 to be greater than 5.3.1. The version that has the fix applied is version 5.3.2. 

Install security monitoring software if your website does not currently have a security monitoring solution. Similar to backing up your site, WordPress has several security plugin options available and some hosting providers have their own solutions.

Matthew Post head shot
Matthew Post

About The Author

As an advocate for people-first marketing, Matthew Post, the co-founder of SEM Dynamics, has dedicated over two decades to building and optimizing websites. He has worked in-house for nationwide e-commerce companies as well as large local firms to increase customer engagements through conversion rate optimization and search engine optimization. His expertise covers both the development and growth of digital properties.