ContactForm7 vulnerability

Hannah discovers bug in Contact Form 7 to bypass CAPTCHA

Contact Form 7 is one of the most popular website contact forms implemented throughout websites developed using WordPress. It allows users to quickly and easily submit a message or query to the owner of the site without the need to compose an entire email using a regular client.

Contact Form 7 makes use of a CAPTCHA facility in order to prevent the risk of exploitation from bots and potential attackers. An exploitation could result in an influx of requests, resulting in a possible Denial of Service attack against the site’s email recipients.

Whilst testing this CAPTCHA facility on our own website, Hedgehog Security were able to bypass this feature and flood our inbox with thousands of requests.

The author of the plugin has now been notified and a fix was released within a matter of hours. To apply the fix, visit the link below and update to version 3.7.2:

As a further precaution, it is advised that users of contact forms within their website(s) protect themselves by limiting the recipients of their contact forms, as well as to create an inbox rule to place the messages into a separate inbox folder.



This vulnerability has now been granted a CVE-ID. This can be viewed at

An advisory for this vulnerability may also be viewed below:

CVE: CVE-2014-2265
Vendor: Rock Lobster, LLC.
Product: ContactForm7
Affected Version: 3.7.1 and earlier
Fixed Version: 3.7.2
Reported by: Hannah Sharp


It is possible to bypass the CAPTCHA facility and fill the recipient’s inbox with an influx of requests. The removal of the ‘_wpcf7_captcha_challenge_captcha-719’ parameter (or just the contents of the parameter) from a request sent via a form using CAPTCHA allows the sender to bypass validation. Because of this, a sender is able to automate the transmission of a huge number of emails to the site’s email recipients.

The following is an example request sent via ContactForm7 using CAPTCHA:

Host: <host>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: <referer>
Content-Length: 238
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache


Potential Denial of Service attack against the site’s email recipients.


Exploit code is not required.

Vendor status:

25/02/2014 Advisory created
26/02/2014 Vendor contacted
26/02/2014 Vendor working on a fix
26/02/2014 Fix released
27/02/2014 Fix confirmed
04/03/2014 CVE obtained
04/03/2014 Published
Hedgehog Hosting & Hedgehog Security are trading divisions of Hibernaculum Ltd | Copyright ©2010. - 2014 | All Rights Reserved.

Registered Address: Sugnall Business Center, Sugnall, Stafford, ST21 6NF | Telephone 01782 467900
Malvern Cyber Security Cluster CREST Approved