We were recently advised that Freemius Insights, a 3rd party library used by Contact Form 7 Skins (since v1.2.2) to implement opt-in data collection, has a severe security vulnerability.
You need to update to Contact Form 7 Skins v2.1.1 (or higher) IMMEDIATELY – to avoid your sites remaining vulnerable.
We’ve removed Freemius from Contact Form 7 Skins
Here at CF7 Skins we’ve made the decision to immediately completely remove Freemius from CF7 Skins.
This provides the safest option in our opinion. We are not convinced, at this stage, that Freemius can provide a reliable assurance that it will not be subject to other severe security vulnerabilities in future.
Update Contact Form 7 Skins IMMEDIATELY
You should immediately update to Contact Form 7 Skins v2.1.1 (or higher) on every site where you are using our plugin.
We are very sorry for the inconvenience and apologize for including this vulnerable 3rd party library in our plugin.
CF7 Skins Add-ons not affected
This issue does not apply to any CF7 Skins Add-ons as they do not use Freemius for opt-in data collection.
Security vulnerability published
The security vulnerability has now been published on the following significant sites:
- Freemius Patches Severe Vulnerability in Library Used by Popular WordPress Plugins
- Hackers Are Probably Already Exploiting This Authenticated Option Update Vulnerability Just Fixed in Freemius
This is important as it allows many WordPress users to update there WordPress websites to remove this severe security vulnerability.
But this also makes this information available to hackers. It is likely that this vulnerability will become a popular exploit on WordPress sites over time.
WordPress site owners who don’t update older versions of WordPress plugins & themes that this vulnerability are going to be much more likely to be hacked at some stage.
Check other plugins you are using
Freemius is included with many popular plugins (& some themes) including:
- NextGEN Gallery (1,000,000+ installs)
- 404 – 301 (100,000+ installs)
- WP Security Audit Log (80,000+ installs)
- FooGallery (100,000 installs+)
1. Update published
If you see an update for a plugin or theme that uses Freemius – you should update immediately.
2. Update not yet available
If you are using a plugin that includes Freemius and the author has not updated, you should consider turning the plugin off temporarily until a patch is available.
