Jinson Varghese

Hi Roman,

The vulnerability only affects forms with file upload enabled. So if your form does not have file fields, it won’t affect you. Regardless, it is recommended to update to the latest version.

[NOTE] While the multipart/form-data body can be sent in the request even though file upload is not enabled, the files do not get saved. We have checked this from our end.

You can find more information about the vulnerability at https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload-vulnerability/

In this GDPR plugin hack, the attacker gets access to create an option in the database which in turn gives him access to the admin panel. Once he has access, he can perform various malicious actions.

Some things you should check:

– if a new admin user is added
– if your site url is changed
– if the website gets redirected

To read more about this issue and possibles fixes, you can refer to the following link:

https://www.getastra.com/blog/cms/wordpress-security/wordpress-gdpr-plugin-exploit-privilege-escalation-vulnerability/