Contact Form 7 5.3.2 has been released. This is an urgent security and maintenance release. We strongly encourage you to update to it immediately.
An unrestricted file upload vulnerability has been found in Contact Form 7 5.3.1 and older versions. Utilizing this vulnerability, a form submitter can bypass Contact Form 7’s filename sanitization, and upload a file which can be executed as a script file on the host server. This issue has been reported by Jinson Varghese Behanan from Astra Security.
Requires: WordPress 5.4 or higher
Tested up to: WordPress 5.6
Wednesday, December 23, 2020