PLUGIN SECURITY
Is Contact Form 7 safe?
Known vulnerabilities, PHP compatibility and safer alternatives for the Contact Form 7 WordPress plugin — checked against WP Clinic's local security database.
Plugin details
- Slug:
contact-form-7 - Requires PHP: 7.4+
- Max supported PHP (analyzed): 8.4
Known vulnerabilities
- Contact Form 7 [contact-form-7] < 5.3.2 [CVE-2020-35489, Contact Form 7 < 5.3.2 - Unrestricted File Upload, Contact Form 7 <= 5.3.1 - Arbitrary File Upload via Bypass]
- Contact Form 7 [contact-form-7] < 5.0.4 [CVE-2018-20979, Contact Form 7 <= 5.0.3 - register_post_type() Privilege Escalation, Contact Form 7 <= 5.0.3 - Authorization Bypass]
- Contact Form 7 [contact-form-7] < 3.7.2 [CVE-2014-2265, Contact Form 7 <= 3.7.1 - CAPTCHA Bypass, Contact Form 7 < 3.7.2 - CAPTCHA Bypass]
- Contact Form 7 [contact-form-7] < 5.3.2 [WordPress Contact Form 7 plugin <= 5.3.1 - Unrestricted File Upload vulnerability]
- Contact Form 7 [contact-form-7] < 5.0.4 [WordPress Contact Form 7 plugin <= 5.0.3 - Privilege Escalation vulnerability]
+ 7 more known vulnerabilities
- Contact Form 7 [contact-form-7] < 3.5.3 [WordPress Contact Form 7 Plugin <= 3.5.2 - Remote Code Execution]
- Contact Form 7 [contact-form-7] < 3.5.3 [Contact Form 7 <= 3.5.2 - File Upload Remote Code Execution]
- Contact Form 7 [contact-form-7] < 3.5.3 [Contact Form 7 <= 3.5.2 - Arbitrary File Upload]
- Contact Form 7 [contact-form-7] < 5.8.4 [CVE-2023-6449, Contact Form 7 <= 5.8.3 - Authenticated (Editor+) Arbitrary File Upload, WordPress Contact Form 7 Plugin <= 5.8.3 is vulnerable to Arbitrary File Upload, Contact Form 7 < 5.8.4 - Authenticated (Editor+) Arbitrary File Upload]
- Contact Form 7 [contact-form-7] < 5.9.2 [CVE-2024-2242, Contact Form 7 <= 5.9 - Reflected Cross-Site Scripting, WordPress Contact Form 7 Plugin <= 5.9 is vulnerable to Cross Site Scripting (XSS), Contact Form 7 < 5.9.2 - Reflected Cross-Site Scripting]
- Contact Form 7 [contact-form-7] < 5.9.5 [CVE-2024-4704, WordPress Contact Form 7 Plugin < 5.9.5 is vulnerable to Open Redirection, Contact Form 7 <= 5.9.4 - Unauthenticated Open Redirect]
- Contact Form 7 [contact-form-7] < 6.0.6 [CVE-2025-3247, WordPress Contact Form 7 Plugin <= 6.0.5 is vulnerable to Other Vulnerability Type, Contact Form 7 <= 6.0.5 - Order Replay Vulnerability, EUVD-2025-11473]
Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.
Safer / more established alternatives
- Akismet Anti-spam: Spam Protection — 6000000+ active installs — max PHP 8.4
- WPForms – AI Form Builder for WordPress – Contact Forms, Payment Forms, Survey Form, Quiz & More — 5000000+ active installs
- Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder — 700000+ active installs — max PHP <8.0
- Forminator Forms – Contact Form, Payment Form & Custom Form Builder — 600000+ active installs
- Ninja Forms – The Contact Form Builder That Grows With You — 600000+ active installs
Check your own WordPress site
Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.