Abandoned Contact Form 7

abandoned-contact-form-7 · by zealopensource · wordpress.org ↗ · SVN ↗
Active installs
100
Current version
2.7
Added
2020-09-17
Last updated
2026-06-16 (16d ago)
First seen by beacon
2mo ago
Total downloads
6,011

Statistics

2024-06-16 → 2026-06-15 · 730 days

Active-install and ratings figures are the last values WP Beacon captured before wordpress.org closed this plugin — wp.org no longer publishes them. Daily downloads are still updated.

Downloads today
1
7-day total 116
Week over week
▲ +73%
vs prior 7 days
30-day trend
flat
▲ +258% MoM
Abandonment
●●○○○
closed on wp.org
Downloads/day Linear trend
10176512502024-062024-102025-022025-062025-102026-022026-06
10176512502026-032026-042026-042026-052026-052026-06
10176512502026-052026-052026-052026-062026-062026-06

Active versions

2.52.21.62.41.7
2.5 · 21.6%2.2 · 21.0%1.6 · 19.3%2.4 · 19.3%1.7 · 11.6%2.0 · 7.2%

Ratings last captured

No ratings data.

Alerts (0)

No open alerts.

Show 2 resolved alerts
Low plugin_closed Resolved · monitored_closure 2026-06-14 03:11:53 (18d ago)
Slugabandoned-contact-form-7
Closed reason
Closed date2026-06-10 00:00:00
Active installs100
View raw JSON
{
    "slug": "abandoned-contact-form-7",
    "closed_reason": "",
    "closed_date": "2026-06-10 00:00:00",
    "active_installs": 100
}
Critical code_pattern Resolved · vendor_self_update_zealousweb_legit 2026-05-08 11:25:12 (1mo ago)
Slugabandoned-contact-form-7
Patternunserialize_after_remote_call
Kindbuiltin
Version2.2
Hit count1
First hit
File
inc/class.cf7af.update.php
Line
162
Snippet
L155: $request = wp_remote_post( $this->update_path, $params ); → L162: return @unserialize( $request['body'] );
Explanationa remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.
View raw JSON
{
    "slug": "abandoned-contact-form-7",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "2.2",
    "hit_count": 1,
    "first_hit": {
        "file": "inc/class.cf7af.update.php",
        "line": 162,
        "snippet": "L155: $request = wp_remote_post( $this->update_path, $params );  \u2192  L162: return @unserialize( $request['body'] );"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

SVN committers (2)

Accounts with actual commit access to abandoned-contact-form-7 on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
ZealousWeb 2015-04-01 62 2020-09-17 · r2383635 2026-06-16 · r3574337
plugin-master 2007-03-09 1 2020-09-16 · r2383200 2020-09-16 · r2383200

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
ZealousWeb 2015-04-01 62 commits Active

Versions (17 most recent)

Version Released Download
2.5 zip
2.6 zip
2.7 zip
2.4 2026-05-20 · 1mo ago zip
2.3 2026-05-20 · 1mo ago zip
2.2 2025-12-16 · 6mo ago zip
2.1 2025-10-08 · 8mo ago zip
3.0.0 2025-10-08 · 8mo ago zip
2.9 2025-10-08 · 8mo ago zip
2.0 2025-05-23 · 1y ago zip
1.9 2025-02-12 · 1y ago zip
1.8 2025-02-12 · 1y ago zip
1.7 2024-07-12 · 1y ago zip
1.6 2024-05-29 · 2y ago zip
1.5 2023-01-12 · 3y ago zip
1.1 2020-10-22 · 5y ago zip
1.0 2020-10-20 · 5y ago zip