Contact Form 7 being hijacked to send spam? [closed]

It seems Contact Form 7 allows you to specify the recipient via a select dropdown. This means that the recipient e-mail address is stored in the form and sent to the server, which then just reads it. Unless the server then verifies the recipient address was one of the options you specified, this can be a “security hole” to send spam to other e-mail addresses.

It would work like this: the server is prepared to read the recipient select field, in case you specified one. But even if you did not specify one, the spambot can send a recipient field value to the server, tricking it into thinking it came from a real HTML dropdown. This allows it to specify any value it wants there.

It is possible that Contact Form 7 prevents this kind of attack, but you should check this yourself, I have no further experience with Contact Form 7.

Related Posts:

  1. how to reduce the number of spam comments
  2. A spam bot loves me, what can I do?
  3. How to spam-filter a custom content type with the Akismet plugin?
  4. Getting trackback spam, even with trackbacks disabled
  5. How to block a someone from commenting?
  6. Reducing spammy user sign-ups
  7. How to reduce spam
  8. How do I permanently disable Pingbacks?
  9. What are all these spam subscribers doing here?
  10. How to disable WordPress trackbacks?
  11. How can I delete all my existing trackbacks?
  12. How can I delete all users which have never commented / have posted spam comments?
  13. Comment Spammed vs Trashed
  14. getting casino links on my woocommerce site [closed]
  15. How to locate & delete hidden pages on a site
  16. How is my non-published blog getting so much spam?
  17. Contact Form 7 Plugin send emails to my Gmail as spam [closed]
  18. Automated spam being caught in 2 posts. Can this be used to help get rid of spam on everyone’s sites?
  19. WordPress Site has 35K spam images
  20. WordPress Phone Verification
  21. Is the tagline area spam-bot proof?
  22. Spam email sent from my [email protected] account
  23. How to block spam blocks pointing to a same website [closed]
  24. WordPress VPS out of Memory Problem
  25. Is it possible to determine proxy based comments?
  26. How to track down a phantom contact form?
  27. How to get rid of spam forever?
  28. Spams, Scams on WordPress site – what to do?
  29. Auto block ALL IP’s indicated by Akismet?
  30. How to Prevent Unwanted Spam to Contact Form 7 [closed]
  31. Simple comments spam solution
  32. How to stop people from using my domain to send spam? [duplicate]
  33. Contact Form 7 – Populate Select List With Taxonomy [closed]
  34. Tips for finding SPAM links injected into the_content
  35. To Disable WordPress Rest API or Not To Disable?
  36. How to execute a server side script when contact form 7 is submitted? [closed]
  37. How to deal with small scale comment spam on small commercial sites? [closed]
  38. Allow anonymous comments, but prevent spam [closed]
  39. Why do I get email notifications about comments that WordPress has already determined are spam?
  40. show image in mail contact form 7 [closed]
  41. Passing a variable into Contact Form 7 [closed]
  42. Strategies for coping with hyperagressive spambots?
  43. How to disable autocomplete for inputs in contact form 7? [closed]
  44. How Do I Prevent Junk Account Creation?
  45. How to programmatically send additional notification emails in Contact form 7 [closed]
  46. Prevent CF7 attachment from being deleted [closed]
  47. Something is generating spam pages on my site
  48. How to find the output of contact form 7 shortcode? [closed]
  49. How to use WPML Plugin in contact form 7
  50. Contact Form 7 add ID to radio buttons [closed]
  51. Contact Form 7 to featured image
  52. get values from contact form 7 wp plugin [closed]
  53. How to set Contact Form 7 fields default value using shortcode attribute? [closed]
  54. What is the valid phone number format accepted by contact-form-7 [closed]
  55. Contact Form 7: Email custom HTML inputs or make a field readonly [closed]
  56. CF7 conditional logic [closed]
  57. Contact Form 7 Data to Whatsapp Link
  58. How to programmatically customise the Contact Form7 notification email prior to sending? [closed]
  59. How can i add custom fields into the contact form 7 [closed]
  60. Use onfocus event in Contact Form 7
  61. 2-step contact form, URL field on the site, others inside popup [closed]
  62. Remove #wpcf7-f2450-o1 with Contact form 7 redirect [closed]
  63. Add php variables to custom form submission [closed]
  64. Contact form 7 shortcode appear outside form tag
  65. Contact Form 7- problem with submit button [closed]
  66. Batch approve comments
  67. How do I filter users based on email address?
  68. Is there a spam comment blocker that blocks IP addresses for a limited amount of time? [closed]
  69. donwload pdf file after contactform 7 submisson
  70. Using CFDB7 vs Custom MySQL Database [closed]
  71. call other shortcode in the email contactform7 send [closed]
  72. How to stop direct HTTP POST to a PHP script?
  73. Contact Form 7: Load scripts and styles only when there is shortcode? [closed]
  74. Block registration by URL referrer?
  75. WordPress comment processing . Default unapproved comments detection before posting
  76. Contact7 Check Boxes line breaks when submitted
  77. Conditional Logic on CF7 dropdown options
  78. Contact Form 7: conditional logic in e-mail
  79. Block internal search queries with pre_get_posts and regex rules
  80. How to pass POST data from Contact Form 7 to another subpage after submitting the form
  81. How to use Contact Form 7 shortcode value in a page?
  82. Using htaccess to prevent spam through wp-comments-post.php
  83. How can I automatically delete comments that contain a URL?
  84. How to direct contact form submission to a certain page
  85. CF7 Custom Recipient – Changing the text
  86. when contact form7 submited domain redirects to example.com means (example domain)
  87. Issues after switching over to HTTPS
  88. single quote in contact form 7 input field throwing error on form submission
  89. New accounts daily at WP Multi-User site under development, Analytics reports no traffic. What gives?
  90. User content database [closed]
  91. Send foreach $_post method to contact form 7 [closed]
  92. Contact Form 7 submission does not complete [closed]
  93. Contact Form 7 checkbox to add a new class to a div [closed]
  94. Display Image Upload from Contact Form 7 on Redirect Page [closed]
  95. Contact-7 multi screen dashboard
  96. Contact form with dynamic dropdown and filter
  97. Contact Form 7 – Display Dropdown, Send Different Data
  98. CF7 Wont submit contact form on apple iphones [closed]
  99. CF7 Populate Text Field Based On Checkbox Checked
  100. Adding filter to the Contact Form 7 response