Security Experts:

Connect with us

Hi, what are you looking for?



Critical Vulnerability Found in Popular WordPress Contact Form Plugin

A critical, remotely exploitable vulnerability has been found in a popular WordPress plugin that allows users to easily customize every aspect of the contact forms they embed into their websites.

A critical, remotely exploitable vulnerability has been found in a popular WordPress plugin that allows users to easily customize every aspect of the contact forms they embed into their websites.

The flaw in Custom Contact Forms was identified by researchers from Sucuri during a routine audit for the company’s Web Application Firewall (WAF). They determined that an unauthenticated attacker could leverage the flaw, which affects all versions prior to, to gain control of a website.

While analyzing the code for Custom Contact Forms, a plugin that has been downloaded over 620,00 times from the official WordPress website, researchers noticed that a function called adminInit() contained some functionalities that could be leveraged for malicious purposes. One of the functions allowed users to generate and download a SQL dump of the plugin’s parameters, while another one could be utilized to import an SQL backup to the database.

“Those familiar with WordPress know that all of the table names and some of WordPress’s important option fields names are “protected” by a database prefix set in the website’s wp-config.php file. That said, it is of no use here as we can download a SQL dump of the plugin’s parameters which contains this piece of information!” Sucuri’s Marc-Alexandre Montpas explained in a blog post. “Anybody could alter the SQL dump, adding their own queries to create a new administrative user or modify anything that is stored in the database.”

The plugin’s developers refused to fix the vulnerability after being notified by the security firm, but they did release an update to address the issue after Sucuri alerted the security team at WordPress. Users are advised to update their installations to version or later as soon as possible.

Sucuri has advised WordPress website administrators to use other contact form plugins, such as JetPack and Gravity Forms, accusing the developers of Custom Contact Forms of not taking security seriously.

The security firm has identified serious vulnerabilities in numerous WordPress plugins over the past few months, and recent events have demonstrated that these flaws should not be neglected. A security hole in the MailPoet plugin was recently exploited by attackers to compromise tens of thousands of websites.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.