The team behind a popular WordPress plugin has disclosed a critical file upload vulnerability and issued a patch. The plugin, Contact Form 7, has over 5 million active installs making this urgent upgrade a necessity for WordPress site owners out there. An attacker can upload a crafted file with arbitrary code on the vulnerable server using the plugin. The vulnerability has been discovered and reported by Jinson Varghese Behanan, an information security analyst with Astra Security. The fix made by the project, shown below, contains a fix made for the vulnerability.
Source: https://www.bleepingcomputer.com/news/security/wordpress-plugin-with-5-million-installs-has-a-critical-vulnerability/