mrmcx

Hi Snuwerd,
to exploit this vulnerability an attacker only needs access to any form that will be saved to the db and then exported as an excel file and downloaded.
The excel file will then execute the potentially malicous code on the computer of the person who opens the excel file.

Yes it does…
I also tried different settings (auto on, other list etc.) but that didn’t change anything

I didn’t change anything in the plugin or the CF7 plugin.

I fixed it with

.wpcf7-form-control-wrap.mailpoetsignup br {
    display: none;
}

but this should not be a final solution IMHO