Contact Form 7 being hijacked to send spam? [closed]

It seems Contact Form 7 allows you to specify the recipient via a select dropdown. This means that the recipient e-mail address is stored in the form and sent to the server, which then just reads it. Unless the server then verifies the recipient address was one of the options you specified, this can be a “security hole” to send spam to other e-mail addresses.

It would work like this: the server is prepared to read the recipient select field, in case you specified one. But even if you did not specify one, the spambot can send a recipient field value to the server, tricking it into thinking it came from a real HTML dropdown. This allows it to specify any value it wants there.

It is possible that Contact Form 7 prevents this kind of attack, but you should check this yourself, I have no further experience with Contact Form 7.

Related Posts:

  1. how to reduce the number of spam comments
  2. A spam bot loves me, what can I do?
  3. How to spam-filter a custom content type with the Akismet plugin?
  4. Getting trackback spam, even with trackbacks disabled
  5. How to block a someone from commenting?
  6. Reducing spammy user sign-ups
  7. How to reduce spam
  8. How do I permanently disable Pingbacks?
  9. What are all these spam subscribers doing here?
  10. How to disable WordPress trackbacks?
  11. How can I delete all my existing trackbacks?
  12. How can I delete all users which have never commented / have posted spam comments?
  13. Comment Spammed vs Trashed
  14. getting casino links on my woocommerce site [closed]
  15. How to locate & delete hidden pages on a site
  16. How is my non-published blog getting so much spam?
  17. Contact Form 7 Plugin send emails to my Gmail as spam [closed]
  18. Automated spam being caught in 2 posts. Can this be used to help get rid of spam on everyone’s sites?
  19. WordPress Site has 35K spam images
  20. WordPress Phone Verification
  21. Is the tagline area spam-bot proof?
  22. Spam email sent from my [email protected] account
  23. How to block spam blocks pointing to a same website [closed]
  24. WordPress VPS out of Memory Problem
  25. Is it possible to determine proxy based comments?
  26. How to track down a phantom contact form?
  27. How to get rid of spam forever?
  28. Spams, Scams on WordPress site – what to do?
  29. Auto block ALL IP’s indicated by Akismet?
  30. How to Prevent Unwanted Spam to Contact Form 7 [closed]
  31. Simple comments spam solution
  32. How to stop people from using my domain to send spam? [duplicate]
  33. how to trash WordPress comments if its not in English
  34. WordPress and wamp sending “Delivery status notification Failure” to my inbox every 7 minutes
  35. Why do I get comment spam even with Akismet and Captcha?
  36. How to add placeholder for contact form7 for dropdown? [closed]
  37. How to use other shortcodes inside Contact form 7- forms? [closed]
  38. Contact form 7 select box different value-text than content-text in option [closed]
  39. Why might a plugin’s ‘do_shortcode’ not work in an AJAX request?
  40. Removing the “Website” Field from Comments and Replies?
  41. How to modify Contact Form 7 Success/Error Response Output [closed]
  42. Why “Contact Form 7” doesn’t update PHPmailer library?
  43. Contact Form 7 – Populate Select List With Taxonomy [closed]
  44. Experiences with adding Nonces to the comment form
  45. Tips for finding SPAM links injected into the_content
  46. How to get current post ID in Contact Form 7 wpcf7_before_send_mail hook action
  47. Contact Form 7 – process form using a PHP script, instead of mailing [closed]
  48. To Disable WordPress Rest API or Not To Disable?
  49. How to execute a server side script when contact form 7 is submitted? [closed]
  50. How to deal with small scale comment spam on small commercial sites? [closed]
  51. Contact Form 7 – add custom function on email send [closed]
  52. What methods should be used to fend off splogs in a multiuser install? [closed]
  53. What’s the easiest way to close comments on media/attachments?
  54. How to resolve “Failed to send your message” problem for Contact Form 7? [closed]
  55. contactform7 remove tags with “wpcf7_autop false” from functions.php
  56. Contact Form 7 Custom Post Action
  57. How can I send to multiple Contact Form 7 recipients based on form input? [closed]
  58. Contact Form 7: wp_mail doesn’t work after update to 4.6
  59. How to remove comment spam in WordPress
  60. How is comment spam received without a comments form?
  61. Local wordpress setup with SPAM in the incoming links dashboard section?
  62. How to choose email recipient in Contact Form 7 based on address state input in form and save to database [closed]
  63. How to prevent spam users registering even with registration disabled
  64. Allow anonymous comments, but prevent spam [closed]
  65. Adding a hyperlink to the checkbox in the contact form 7 [closed]
  66. Creating a contact form without a plugin [closed]
  67. How exactly does Bad Behavior plugin work?
  68. Is there any advantage to emptying comment spam?
  69. Why do I get email notifications about comments that WordPress has already determined are spam?
  70. How to Translate Contact Form 7 using qTranslate? [closed]
  71. show image in mail contact form 7 [closed]
  72. Horizontal (columned) Contact form 7 and acceptance field on devices
  73. Number of External Links in Comments – Moderation Option
  74. using 1 form shortcode (si or cf7) for all multisite sites [closed]
  75. Dynamically send pdf attached to post with contact form 7 [closed]
  76. Passing a variable into Contact Form 7 [closed]
  77. Comments screen in backend, how to disable Quick Edit | Edit | History | Spam | for non admins
  78. How to save contact form 7 data in Custom Post Types (CPT) [closed]
  79. Check spam in custom form – akismet
  80. Mass delete spam accounts
  81. Contact form 7 Dynamic text – placeholder on GET field
  82. What is the best way to avoid spammers registering to my blog?
  83. Transferring contact form input to an email account without using an email-proxy
  84. WordPress Contact Form 7: populate the value of a field dynamically with PHP [closed]
  85. Contact Form 7 – Populating dropdown list with terms relative to the post
  86. What do spammers gain by signing up as a user?
  87. Vue.js + AJAX Shortcode
  88. Contact form 7 dynamic text extension – populate form with title from previous page [closed]
  89. Custom contact form 7 select with custom values [closed]
  90. Contact Form 7 plugin refreshing page on submit [closed]
  91. Upload files – total size limit – WordPress/Contact Form 7
  92. ACF + contact form 7
  93. Strategies for coping with hyperagressive spambots?
  94. Contact Form 7 + Configure SMTP: Sender email appearing as my own email [closed]
  95. How to disable autocomplete for inputs in contact form 7? [closed]
  96. Website is being flooded [closed]
  97. How Do I Prevent Junk Account Creation?
  98. Insert Captcha Code info Any Form (Created of Plugin)
  99. How to programmatically send additional notification emails in Contact form 7 [closed]
  100. Store and Encrypt Contact Form 7 Submissions in Database? [closed]
Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)