ALERT: Update WordPress Contact Form 7 plugin before 12/30

Tuesday, December 22, 2020

This information is intended for U-M IT staff who are responsible for university websites that use WordPress. It was sent to U-M IT groups via email on December 22, 2020.


A vulnerability has been discovered in the WordPress Contact Form 7 plugin. WordPress is an open source content management system for websites. An attacker could exploit the vulnerability to compromise websites that use the plugin. Sites that use the plugin must be updated before December 30, 2020.


There is an unrestricted file upload vulnerability (CVE-2020-35489) in the WordPress Contact Form 7 plugin that can allow an attacker to bypass Contact Form 7's filename sanitization protections when uploading files. An attacker can upload a crafted file with arbitrary code on the vulnerable server using the plugin.


If file uploads are enabled, your website can be compromised.

Affected Versions

The WordPress Contact Form 7 plugin.

Action Items

  • You must update the plugin before December 30, 2020. Details about the vulnerability are expected to be made public after that date.
  • If your web site is not updated before December 30, ITS will take actions to mitigate the vulnerability, including disabling vulnerable sites.
  • The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).

Technical Details

It is expected that technical details will be released publicly on or after December 30.

How We Protect U-M

  • ITS Information Assurance (IA) is sending email to known administrators of websites at U-M known to use the WordPress Contact Form 7 plugin.
  • IA works closely with others in Information Technology Services (ITS) and U-M units to ensure timely patching of systems.
  • IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
  • IA provides vulnerability management guidance to the university.

Information for Users

This vulnerability is in software used to manage websites. It must be updated by the administrators of those sites.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.