What Happened

During our routine security monitoring this week, we identified that Contact Form 7 — a WordPress plugin used by 10,000,000+ websites — contains a security vulnerability in certain versions.

CVE: CVE-2020-35489

Vulnerability Type: Arbitrary File Upload

Who Is Affected

Fixed Version

Contact Form 7 5.3.2 and later versions have patched this vulnerability. Update immediately if you are running an older version.

What You Should Do

1. Update the plugin to the latest version from your WordPress dashboard (Plugins → Installed Plugins → Update).
2. Change your admin password if the vulnerability involves authentication or privilege escalation.
3. Scan your website for any signs of compromise or modified files.
4. Review your security headers — many sites we scan are also missing basic headers like HSTS and Content-Security-Policy.
5. Check your site’s trust score to see your overall security posture.

How TrustedWeb Detected This

TrustedWeb continuously monitors vulnerability databases and cross-references them with data from our website security scans. This week alone, we analyzed 49 websites and identified outdated plugins, missing security headers, SSL issues, and more.

If you’re unsure whether your website is affected, run a free scan:

About Responsible Disclosure

This vulnerability was reported through coordinated disclosure. The plugin developer was notified and has released a fix. We publish this information only after a patch is available, to help website owners protect themselves without exposing exploit details.

Source: trustedweb

What Happened

During our routine security monitoring this week, we identified that Unknown — a WordPress plugin used by thousands of websites — contains a security vulnerability in certain versions.

The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is due to the plugin failing to verify that the email provided in the authentication request matches the email from the validated OAuth token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by supplying a valid OAuth token from their own account along with the victim’s email address.

CVE: CVE-2026-0953

Vulnerability Type: Authentication Bypass

Who Is Affected

What You Should Do

1. Update the plugin to the latest version from your WordPress dashboard (Plugins → Installed Plugins → Update).
2. Change your admin password if the vulnerability involves authentication or privilege escalation.
3. Scan your website for any signs of compromise or modified files.
4. Review your security headers — many sites we scan are also missing basic headers like HSTS and Content-Security-Policy.
5. Check your site’s trust score to see your overall security posture.

How TrustedWeb Detected This

TrustedWeb continuously monitors vulnerability databases and cross-references them with data from our website security scans. This week alone, we analyzed 110 websites and identified outdated plugins, missing security headers, SSL issues, and more.

If you’re unsure whether your website is affected, run a free scan:

About Responsible Disclosure

This vulnerability was reported through coordinated disclosure. The plugin developer was notified and has released a fix. We publish this information only after a patch is available, to help website owners protect themselves without exposing exploit details.

Source: nvd