Allowing Access to Post Meta and User Data

Jump to:

Overview
Background & Security Considerations
Access Control
- Post Meta Access
- User Data Access
What to do after updating to v4.2.0 or later
Form Scanner Tool
Validation Tool
Programmatic Control via Filters

Overview

As of CF7 DTX v4.2.0, all access to post metadata and user data accessed via the CF7_get_custom_field and CF7_get_current_user shortcodes is disallowed by default.

To allow access to specific metadata or user data, administrators can add those keys to the Allow Lists by going to their admin panel > Contact > Dynamic Text Extension.

Keys that are not on the allow list will not return their data. If a disallowed key is encountered when outputting one of the above shortcodes, a PHP Warning will be triggered, indicating the key value that needs to be allow-listed.

We’ve provided both a Form Scanner Tool and a Validation Tool to make it easy to determine which keys need to be allow-listed.

Background & Security Considerations

To give users flexibility when setting up their contact forms, the DTX provides two shortcodes for general access of post and user data:

CF7_get_custom_field allows access to any meta data for any post.
CF7_get_current_user allows access to any user data for the current user.

This means that any logged-in user with the ability to edit posts (Contributor+ access) has the potential to access or reveal sensitive data. If there are untrusted users with access, this can pose a security risk.

To address this potential vulnerability, access to all post meta and user keys for these shortcodes is disallowed by default. Administrators have the authority to add specific keys that they have deemed safe to expose to the Allow Lists, so that those keys can then be used with the above shortcodes. Only keys that are listed on the allow lists will return values when accessed via the above shortcodes.

Access Control

Administrators have access to the DTX Settings page which can be found in the admin panel by visiting Contact > Dynamic Text Extension.

Post Meta Access

By default, all post metadata is disallowed. This section allows administrators to open access as desired.

Keep in mind:

This shortcode allows access to any meta data on any post, which includes custom post types
Users of different authorization levels on your site should potentially not have access to this data

Post Meta Access Screen

Use the Meta Key Allow List setting to allow access to specific meta keys. One key should be added per line.

If all authorized user accounts with edit capabilities on your site are trusted (that is, Contributor+ credentials), you can globally allow all post meta access with the Allow Access to All Post Metadata option. This is provided for convenience for those are sure of what they are doing, but it is a better security practice to use the allow list and leave this setting Disabled.

User Data Access

By default, all user data access is disallowed. This section allows administrators to open access as desired.

Keep in mind:

The shortcode in question allows access for the current (logged in) user. So the vulnerability potential here is for users to find out data about their own accounts that might be private.
User data includes things like the (hashed) password and other potentially sensitive data.

User Data Access Screen

What to do after updating to v4.2.0 or later

When you update, the plugin will run a quick scan of your forms and determine if user intervention is required (that is, if you’ve used either the post meta or user data shortcode).

If your intervention is required, a notice will be displayed to admins when logged into their admin panel:

DTX Access Alert

If you do not see this alert after updating, you should be good to go. But if you want to double check, you can run the Form Scanner Tool any time from the DTX settings page.

If you see this alert, it’s important to resolve the issue promptly as the CF7_get_custom_field and CF7_get_current_user shortcodes will not function properly until you complete this process.

You’ll have 3 options:

Edit Settings will bring you to the DTX Settings Page. From here, you can add any keys you wish to allow access to manually, or you can allow all keys.
Scan & Resolve will bring you straight to the Form Scanner Tool, which will detect any keys that are in use which need to be allow-listed, so you can review them, select those you want to allow access to, and easily add them to the allow list. This recommended for most users.
More Information will bring you to this page explaining what’s going on in detail.

Form Scanner Tool

The Form Scanner Tool is designed to make it easy find and add keys to the allow list. Be sure to review each key to make sure you are not allowing access to sensitive data.

How it works:

Scans all Contact Form 7 forms on your site
Checks for the use of the CF7_get_custom_field and CF7_get_current_user shortcodes
Detects any meta or user data keys that are used which are disallowed
Provides a simple interface to select the keys you wish to allow and add them to the allow list

Please note, the scanner will not detect the use of DTX shortcodes outside of CF7 forms.

To use the Form Scanner Tool, in your admin panel, go to Contact > Dynamic Text Extension. Scroll to the bottom and click Scan Forms for Post Meta and User Data Keys

DTX Scan Button

A scan of your forms will be performed and the results will be displayed. For each form where disallowed keys are detected, Meta Keys and User Data Keys will be displayed:

Review each key.

For any keys you wish to allow, check the box beside them. Then click “Add Selected Keys to Allow Lists” to add all selected keys to the relevant lists, allowing access in the forms.
Keys that are already on the allow list will be displayed and checked by default, and cannot be selected.
For any keys you wish to disallow, edit the form and remove those keys and shortcodes from your dynamic form tags.

Your allowed keys will then appear in the Allow Lists in the settings.

Validation Tool

The Validation Tool is designed for when you’re editing your forms, to alert you if you’re trying to access a post meta or user data key that is disallowed.

When you save a CF7 form, the validator runs. If it detects either shortcode using keys that are not in the allow list, it will display a configuration error indicating the issue.

DTX Validator

Click the link to visit the DTX Settings page, then add the key to the appropriate Allow List. Then re-save the CF7 form to resolve the error.

Programmatic Control via Filters

If you are a developer and need programmatic control over the allowed keys, you can use the following filters:

wpcf7dtx_post_meta_key_allow_list
wpcf7dtx_user_data_key_allow_list

Both filters work the same way:

They act on an array of allowed keys (strings)
They must return an array of strings (or you’ll break things)
The filter runs last in the process, meaning the $allowed_keys parameter will contain the keys that have been manually allow-listed in the settings page
The filter is irrelevant if access is globally allowed from the settings page

Here’s an example of using the post meta filter to allow-list the key “a_private_field”

add_filter( 'wpcf7dtx_post_meta_key_allow_list', 'my_allow_list');
function my_allow_list( $allowed_keys ){
    $allowed_keys[] = 'a_private_field';
    return $allowed_keys;
}

These filters can also be used to programmatically disallow keys that you don’t want to allow to be allow-listed via the admin panel (again assuming you have not globally allowed all keys).