Unauthenticated Arbitrary Shortcode Execution | WordPress.org

Resolved andresduro
(@andresduro)

3 months, 3 weeks ago

The The Contact Form 7 – Dynamic Text Extension plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.0.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/contact-form-7-dynamic-text-extension/contact-form-7-dynamic-text-extension-503-unauthenticated-arbitrary-shortcode-execution

Viewing 2 replies - 1 through 2 (of 2 total)

jchambo
(@jchambo)

3 months, 2 weeks ago

No response from the DEV?

Plugin Author Tessa (they/them), AuRise Creative
(@tessawatkinsllc)

3 months, 1 week ago

Hello! I just released version 5.0.4 to patch the vulnerability. If the plugin is set to update automatically on your site(s), then there’s nothing else you need to do. I shelved the updates for version 6 so I could publish this patch today. Thank you for your patience!

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

3 replies
3 participants
Last reply from: Tessa (they/them), AuRise Creative
Last activity: 3 months, 1 week ago
Status: resolved