PluginContact Form 7 Affected Versions< 5.3.2 SeverityCRITICAL Active Installs10,000,000+ Sites Found Vulnerable23 (from TrustedWeb scans)

Update the plugin to the latest version from your WordPress dashboard (Plugins → Installed Plugins → Update). Change your admin password if the vulnerability involves authentication or privilege escalation. Scan your website for any signs of compromise or modified files. Review your security headers — many sites we scan are also missing basic headers like HSTS and Content-Security-Policy. Check your…

23 Websites Still Using a Vulnerable Version of Contact Form 7

Q: What Happened

During our routine security monitoring this week, we identified that Contact Form 7 — a WordPress plugin used by 10,000,000+ websites — contains a security vulnerability in certain versions. CVE: CVE-2020-35489 Vulnerability Type: Arbitrary File Upload

Q: How TrustedWeb Detected This

TrustedWeb continuously monitors vulnerability databases and cross-references them with data from our website security scans. This week alone, we analyzed 49 websites and identified outdated plugins, missing security headers, SSL issues, and more. If you're unsure whether your website is affected, run a free scan:

CRITICAL: A known security vulnerability has been identified in Contact Form 7. Our recent scans found 23 websites still running the affected version.

What Happened

During our routine security monitoring this week, we identified that Contact Form 7 — a WordPress plugin used by 10,000,000+ websites — contains a security vulnerability in certain versions.

CVE: CVE-2020-35489

Vulnerability Type: Arbitrary File Upload

Who Is Affected

Plugin	Contact Form 7
Affected Versions	< 5.3.2
Severity	CRITICAL
Active Installs	10,000,000+
Sites Found Vulnerable	23 (from TrustedWeb scans)

Fixed Version

Contact Form 7 5.3.2 and later versions have patched this vulnerability. Update immediately if you are running an older version.

What You Should Do

Update the plugin to the latest version from your WordPress dashboard (Plugins → Installed Plugins → Update).
Change your admin password if the vulnerability involves authentication or privilege escalation.
Scan your website for any signs of compromise or modified files.
Review your security headers — many sites we scan are also missing basic headers like HSTS and Content-Security-Policy.
Check your site’s trust score to see your overall security posture.

How TrustedWeb Detected This

TrustedWeb continuously monitors vulnerability databases and cross-references them with data from our website security scans. This week alone, we analyzed 49 websites and identified outdated plugins, missing security headers, SSL issues, and more.

If you’re unsure whether your website is affected, run a free scan:

Is Your Website Secure?

Run a free security scan to check for vulnerabilities, missing headers, SSL issues, and more.

Scan Your Website Free

About Responsible Disclosure

This vulnerability was reported through coordinated disclosure. The plugin developer was notified and has released a fix. We publish this information only after a patch is available, to help website owners protect themselves without exposing exploit details.

Source: trustedweb