Replies: 0
Hi all,
I’m hoping someone can answer a question for me. I’ve been running the OWASP ZAP tool against a couple of local sites running CF7 and its highlight a few issues. The main one is the apparent opportunity for Remote OS Command Injections via the hidden fields included in every CF7 form e.g. _wpcf7_version.
I’m hoping these results are just false positives, however I would like to clarify where the responsibility lies re filtering the data from submitted forms. I had assumed this would happen automatically as part of your plugin code, but maybe I’m wrong. Maybe we need to filter data via hooks before CF7 processes it – could you confirm please?
FYI, we’re using a custom WordPress theme running WordPress 4.7.2 & ContactForm7 4.6.1
Many thanks,
Mike
