On July 24, 2019, we received an XSS vulnerability report for Contact Form 7 – Dynamic Text Extension. The plugin was immediately patched and the fix released in version 2.0.3. While this vulnerability is unlikely to affect many users due to its nature, it is recommended that all Contact Form 7 Dynamic Text Extension users upgrade to the latest version immediately.
|Vulnerability Status:||Resolved (v2.0.3)|
|Plugin:||Contact Form 7 – Dynamic Text Extension|
|Type:||Reflected XSS vulnerability|
|Versions affected:||< 126.96.36.199|
|Fix released:||2.0.3 on July 24, 2019|
Usage of CF7_GET and CF7_POST shortcodes outside of Contact Form 7 itself could result in XSS vulnerability.
Because this issue is only present when using the CF7 DTX shortcodes outside the CF7 DTX, it’s unlikely to affect users in practice.
If you are using the CF7_GET or CF7_POST shortcodes inside the CF7 form tags (standard plugin usage), such as
[dynamictext dynamictext-550 "CF7_GET key='test'"]
you are protected because the CF7 DTX escapes the shortcode output before placing it in the form input attribute.
The vulnerability occurs if the shortcode were to be used outside of a CF7 form tag in a non-standard way, for example, within page content as:
[ CF7_GET key="test" ]
There is no application for using the shortcode in this way, so fortunately the impact of this vulnerability should be minimal. However, if you are doing so, updating will patch the vulnerability.
This vulnerability is resolved in v2.0.3 by sanitizing the shortcode output even when used outside of Contact Form 7.
To resolve the vulnerability, just update Contact Form 7 – Dynamic Text Extension to version 2.0.3 or later.