Contact Form 7 Vulnerability was published by our penetration tester, Hannah Sharp, in February of 2014. The Rock Lobster Contact Form 7 WordPress plugin, prior to version 3.7.2, could allow remote attackers to bypass the CAPTCHA protection mechanism and submit arbitrary form data by omitting the _wpcf7_captcha_challenge_captcha-719 parameter.
The Contact Form 7 vulnerability was discovered by Hannah Sharp during a routine penetration test of our own website following the deployment of the latest plugin updates. Rock Lobster was contacted immediately and was very quick to turn around the fix and updates. The vulnerability was published under CVE-2014-2265.
|Affected||Contact Form 7 WordPress Plugin|
|Issue||It is possible to bypass the Captcha challenge by omitting the _wpcf7_captcha_challenge_captcha-719 value|
|Risk||No anti-robot protection on the for can result in misuse of the form by spammers|
|Vulnerability Type||Bypass a restriction|