Contact Form 7 – Dynamic Text Extension Security Vulnerability Patched in version 5.0.4
3 minute read
Update: April 8, 2026
Patchstack reviewed the patch submitted in version 5.0.5 on March 24, 2026, and marked it as incomplete, meaning the immediate vulnerability has been patched but the security around it could be hardened even more. These additional security features will be added in the upcoming version 6 of Contact Form 7 – Dynamic Text Extension. I do not yet have a timeline for its release.
Update: February 2026
Patchstack always displays the latest version of the plugin as vulnerable regardless of which version was verified to be vulnerable in the report (up to and including 5.0.3). I submitted the update to Patchstack back in January and it is still pending on their end.
Screenshot of Patchstack VPD dashboard showing that a patch was submitted to them on January 5, 2026 but it is still in review by their triage team as of February 11, 2026.
I would also like to note that WordPress.org made an update a year ago that affects who is displayed as the primary author of a WordPress plugin. This change had a detrimental affect because Patchstack reached out to the plugin owner, not the plugin author, which caused the severe delay in patching this vulnerability. I’ve since then verified myself as the plugin author in Patchstack so I should get vulnerability reports going forward.
Original Report Details
Hello! I released version 5.0.4 of Contact Form 7 – Dynamic Text Extension today (January 1, 2026) to patch a security vulnerability. Please see the full details below. Thank you!
Classification
Improper Control of Generation of Code (“Code Injection”)
Description
The vulnerability allows users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Exploit Example
A malicious actor could exploit the vulnerability to inject their own content (like phishing content) into pages and posts of your website.
Impact
“This security issue has a low severity impact and is unlikely to be exploited.” — Patchstack
If the plugin is set to update automatically on your site(s), then there’s nothing else you need to do.
If you need support with my plugin, please check out the support forums or create a post. Please report security bugs found in the source code of Contact Form 7 – Dynamic Text Extension WordPress plugin through the Wordfence Intelligence Vulnerability Submission Form or the Patchstack Vulnerability Disclosure Program. Both platforms will assist you with verification, CVE assignment, and notify me—though I prefer Wordfence because logging into Patchstack’s passwordless VDP requires sending an email with a login link every time which takes centuries to receive in my inbox (if not spam) and there is no “remember me” option. I’m not a fan of a login process that takes 15+ minutes…
Editor's Note: This article was originally published on , and was last reviewed on .
Nobody has commented on this yet, be the first! Cancel reply
We use cookies to improve your experience on our website, to show you personalized content and targeted ads, to analyze our website traffic, and to understand where our visitors are coming from. Our cookies do not identify you individually.
![Thanks for submitting a patch. The triage team is in process of validating it. Report was published on 26 Sep, 2025. WordPress Contact Form 7 - Dynamic Text Extension plugin <= 5.0.4 is vulnerable to Content Injection. Vendor notified 2 Sept. 2025. Patch submitted 5 Jan, 2026. Patch approved [null]. Published to db 9 Dec. 2025.](https://aurisecreative.com/wp-content/uploads/2026/01/vendor-portal-report-preview-patchstack-1024x609.png)
