Heads up, WordPress users! A major security flaw has been discovered in the “Database for Contact Form 7, WPForms, Elementor Forms” plugin, also known as the Contact Form Entries Plugin. And yes, it’s serious—over 70,000 websites could be at risk.
What’s the Problem?
This plugin saves all your contact form entries in the WordPress database, letting you view submissions, export them, mark them read/unread, and more. Sounds handy, right? But here’s the kicker: an unauthenticated attacker—basically anyone on the internet—can exploit a flaw in this plugin.
The bug is a PHP Object Injection (POI) vulnerability. Don’t worry if that sounds like gibberish. In simple terms: it lets a hacker trick your site into running malicious code without needing to log in.
If your site also uses Contact Form 7, attackers can take things even further, like:
- Delete critical files such as
wp-config.php(goodbye website!) - Launch a denial-of-service attack (your site goes down)
- Execute arbitrary code and potentially take over the server
How Bad Is It?
Bad. Really bad. The vulnerability has a CVSS severity score of 9.8 out of 10. That’s about as high as it gets. Wordfence, the security watchdog, issued a strong warning, and security experts are urging site owners to act fast.
Who’s Affected?
- Websites using Database for Contact Form 7, WPForms, Elementor Forms plugin
- Especially those also using Contact Form 7
- Over 70,000 active WordPress installations
Basically, if you’re running a small business site, blog, or even a portfolio page—check this now.
What Should You Do?
Don’t panic, but don’t wait either. Here’s your quick action plan:
- Update the Plugin – Version 1.4.5 fixes the vulnerability. Do it ASAP.
- Backup Your Site – Always have a recent backup, just in case.
- Audit Your Plugins – Make sure all plugins are from trusted sources and up-to-date.
- Consider Extra Security – WordPress security plugins can monitor suspicious activity.
Quick Facts:
- Vulnerable Versions: All up to 1.4.3
- Discovery: Security researchers (Wordfence)
- Risk Level: Critical, CVSS 9.8 / 10
- Attack Type: PHP Object Injection
Quick Checklist:
- Log in → Plugins → Check for “Contact Form Entries”
- If version ≤ 1.4.3 → Click Update to 1.4.5+
- Backup first & keep Contact Form 7 updated
- Optional: Run a security plugin scan
So yes, your contact form plugin is supposed to make life easier, but if ignored, it could literally break your website. Update now, breathe easy later.
