WP Beacon

Abandoned Contact Form 7

abandoned-contact-form-7 · by zealopensource · wordpress.org ↗ · SVN ↗
Active installs
100
Current version
2.4
Added
2020-09-17
Last updated
2026-05-20 (22d ago)
First seen by beacon
1mo ago
Total downloads
5,655

Alerts (0)

No open alerts.

Show 1 resolved alert
Critical code_pattern Resolved · vendor_self_update_zealousweb_legit 2026-05-08 11:25:12 (1mo ago)
Slugabandoned-contact-form-7
Patternunserialize_after_remote_call
Kindbuiltin
Version2.2
Hit count1
First hit
File
inc/class.cf7af.update.php
Line
162
Snippet
L155: $request = wp_remote_post( $this->update_path, $params ); → L162: return @unserialize( $request['body'] );
Explanationa remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.
View raw JSON
{
    "slug": "abandoned-contact-form-7",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "2.2",
    "hit_count": 1,
    "first_hit": {
        "file": "inc/class.cf7af.update.php",
        "line": 162,
        "snippet": "L155: $request = wp_remote_post( $this->update_path, $params );  \u2192  L162: return @unserialize( $request['body'] );"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

SVN committers (2)

Accounts with actual commit access to abandoned-contact-form-7 on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
ZealousWeb 2015-04-01 2 2020-09-17 · r2383635 2026-05-20 · r3538707
plugin-master 2007-03-09 1 2020-09-16 · r2383200 2020-09-16 · r2383200

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
ZealousWeb 2015-04-01 2 commits Active

Versions (14 most recent)

Version Released Download
2.4 2026-05-20 · 22d ago zip
2.3 2026-05-20 · 22d ago zip
2.2 2025-12-16 · 5mo ago zip
2.1 2025-10-08 · 8mo ago zip
3.0.0 2025-10-08 · 8mo ago zip
2.9 2025-10-08 · 8mo ago zip
2.0 2025-05-23 · 1y ago zip
1.9 2025-02-12 · 1y ago zip
1.8 2025-02-12 · 1y ago zip
1.7 2024-07-12 · 1y ago zip
1.6 2024-05-29 · 2y ago zip
1.5 2023-01-12 · 3y ago zip
1.1 2020-10-22 · 5y ago zip
1.0 2020-10-20 · 5y ago zip