Jump to: Overview Background & Security Considerations Access Control Post Meta Access User Data Access What to do after updating to v4.2.0 or later Form Scanner Tool Validation Tool Programmatic Control via Filters Overview As of CF7 DTX v4.2.0, all access to post metadata and user data accessed via the CF7_get_custom_field and CF7_get_current_user shortcodes is disallowed by default. To allow access to specific metadata or user data, administrators can add those keys to the Allow Lists by going to their admin panel > Contact > Dynamic Text Extension. Keys that are not on the allow list will not return their data. If a disallowed key is encountered when outputting one of the above shortcodes, a PHP Warning will be triggered, indicating the key value that needs to be allow-listed. We’ve provided both a Form Scanner Tool and a Validation Tool to make it easy to determine which keys need to be allow-listed. Background & Security Considerations To give users flexibility when setting up their contact forms, the DTX provides two shortcodes for general access of post and user data: CF7_get_custom_field allows access to any meta data for any post. CF7_get_current_user allows access to any user data for the current user. This means that any logged-in user with the ability to edit posts (Contributor+ access) has the potential to access or reveal sensitive data. If there are untrusted users with access, this can pose a security risk. To address this potential vulnerability, access to all post meta and user keys for these shortcodes is disallowed by default. Administrators have the authority to add specific keys that they have deemed safe to expose to the Allow Lists, so that those keys can then be used with the above shortcodes. Only keys that are listed on the allow lists will return values when […]