The development team behind the Contact Form 7 WordPress plugin discloses an unrestricted file upload vulnerability. The plugin allows users to add multiple contact forms on their site. The WordPress plugin has over 5 million active installs, attackers can exploit the vulnerability to upload a file that can be executed as a script file on the underlying server. The issue allows attackers to can bypass the plugins filenitization and upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website.”]
Source: https://securityaffairs.co/wordpress/112407/hacking/contact-form-7-flaw.html