A file-uploadable (most dangerous) vulnerability was discovered in the Contact Form 7 plugin 5.3.1 and below, which is installed in 5 million sites.

Alert: File Upload Vulnerability in Contact Form 7 5.3.1 and Below

According to this vulnerability discovered by Astra, 5 million sites are affected by this vulnerability.

A malicious script can be injected by uploading a web shell (malicious program).
If there is no containerization between websites on the same server, the vulnerability can spread to all sites on the server.

Extreme vigilance is required.

CVE score (vulnerability risk) of 10 points, the highest level of vulnerability score given
https://nvd.nist.gov/vuln/detail/CVE-2020-35489

Coping Methods

1 Update Contact Form 7 to the latest version.

2 If the above is difficult, manually patch the vulnerable files.
According to the Contact Form 7 developer’s program revision history, the following fixes are believed to close the vulnerability.

https://github.com/takayukister/contact-form-7/commit/2e45060ff0b4610e9665d996bc91f725ff5fc381

wp-content/plugins/contact-form-7/includes/formatting.php
in the wpcf7_antiscript_file_name function after $filename has passed through the basename function once.

$filename = preg_replace( '/[\pC\pZ] /i', '', $filename ); //add this line

and add the above line.

For vulnerability testing, please use the [Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].