I've just hardened my (1.4.2) version of wp-contact-form to avoid spammers sending shit using my website.
Spammers still able to inject headers into the body of message, so checks must be done also in body and also for the bcc: string.
To learn how to harden the script, continue reading the post.
You should edit function wpcf_is_malicious in wp-contactform.php, replacing by this:
// REMEMBER TO REMOVE STARTING AND ENDING php TAGS
function wpcf_is_malicious($input, $textarea = false) {
$is_malicious = false;
$bad_inputs = array("mime-version", "content-type", "cc:", "to:","bcc:");
if(!$textarea) {
$bad_inputs[] = "\n";
$bad_inputs[] = "\r";
}
foreach($bad_inputs as $bad_input) {
if(strpos(strtolower($input), strtolower($bad_input)) !== false) {
$is_malicious = true; break;
}
}
return $is_malicious;
}
// REMEMBER TO REMOVE STARTING AND ENDING php TAGSThen in the same file, about at row Nr. 100, edit the condition using the above function, and let it be as following:
// REMEMBER TO REMOVE STARTING AND ENDING php TAGS
if(wpcf_is_malicious($_POST['wpcf_your_name']) || wpcf_is_malicious($_POST['wpcf_email']) || wpcf_is_malicious($_POST['wpcf_website']) || wpcf_is_malicious($_POST['wpcf_msg'], true)) {
$ok = false; $reason = 'malicious';
}
// REMEMBER TO REMOVE STARTING AND ENDING php TAGS 