WP-Safety

Contact Form 7 – Dynamic Text Extension Security & Risk Analysis

wordpress.org/plugins/contact-form-7-dynamic-text-extension

Extends Contact Form 7 by adding dynamic form fields that accepts shortcodes to prepopulate form fields with default values and dynamic placeholders.

100K active installs v5.0.5 PHP 7.4+ WP 5.5+ Updated Feb 17, 2026
autofillcontact-form-7dynamic-formform-fieldprepopulate
74
B · Generally Safe
CVEs total6
Unpatched1
Last CVESep 26, 2025
Plugin page Download
Safety Verdict

Is Contact Form 7 – Dynamic Text Extension Safe to Use in 2026?

Mostly Safe

Score 74/100

Contact Form 7 – Dynamic Text Extension is generally safe to use. 6 past CVEs were resolved. Keep it updated.

6 known CVEs 1 unpatched Last CVE: Sep 26, 2025Updated 1mo ago
Risk Assessment

The "contact-form-7-dynamic-text-extension" plugin v5.0.5 exhibits a mixed security posture. On the positive side, the static analysis reveals no immediate critical risks from code signals such as dangerous functions, raw SQL queries, or file operations. The majority of output is properly escaped, and nonce and capability checks are present on the identified entry points, suggesting a decent effort towards secure coding practices.

However, the vulnerability history is a significant concern. With six known CVEs, including one currently unpatched, and a history of medium severity vulnerabilities like Code Injection, CSRF, and various information exposure types, the plugin has a track record of security flaws. The presence of unsanitized paths in taint analysis, although not classified as critical or high, is also a point of concern and warrants further investigation, especially in light of the plugin's past vulnerabilities. The fact that all three analyzed taint flows had unsanitized paths is a strong indicator of potential issues.

Overall, while the static analysis for this specific version shows some good security practices, the extensive vulnerability history and the presence of unsanitized paths in taint analysis strongly suggest a higher risk. Users should be cautious and prioritize updating to a version that has addressed all past vulnerabilities, particularly the currently unpatched one.

Key Concerns

  • Currently unpatched CVE
  • Multiple known CVEs (6 total)
  • Taint flows with unsanitized paths (3/3)
  • Medium severity vulnerabilities in history
Vulnerabilities
6

Contact Form 7 – Dynamic Text Extension Security Vulnerabilities

CVEs by Year

1 CVE in 2019
2019
1 CVE in 2023
2023
3 CVEs in 2024
2024
1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
6

6 total CVEs

CVE-2025-63068medium · 6.5Improper Control of Generation of Code ('Code Injection')

Contact Form 7 – Dynamic Text Extension <= 5.0.3 - Unauthenticated Arbitrary Shortcode Execution

Sep 26, 2025Unpatched
CVE-2024-56218medium · 4.3Cross-Site Request Forgery (CSRF)

Contact Form 7 Dynamic Text Extension <= 5.0.1 - Cross-Site Request Forgery

Dec 19, 2024 Patched in 5.0.2 (21d)
CVE-2024-10084medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

Contact Form 7 – Dynamic Text Extension <= 4.5 - Information Disclosure via Shortcode

Nov 5, 2024 Patched in 4.5.1 (1d)
CVE-2023-6630medium · 4.3Exposure of Private Personal Information to an Unauthorized Actor

Contact Form 7 – Dynamic Text Extension <= 4.1.0 - Insecure Direct Object Reference

Jan 10, 2024 Patched in 4.2.0 (202d)
WF-fa821005-9593-4a84-b4b4-af746da4d6b9-contact-form-7-dynamic-text-extensionmedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form 7 Dynamic Text Extension <= 2.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Jan 19, 2023 Patched in 3.0.0 (369d)
WF-59cefa5d-f270-48e1-bb3e-98f710a055d8-contact-form-7-dynamic-text-extensionmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form 7 Dynamic Text Extension < 2.0.3 - Reflected Cross-Site Scripting

Jul 24, 2019 Patched in 2.0.3 (1644d)
Code Analysis
Analyzed Mar 17, 2026

Contact Form 7 – Dynamic Text Extension Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
22
182 escaped
Nonce Checks
3
Capability Checks
3
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

89% escaped204 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths
render_options_page (includes\admin\settings.php:171)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Contact Form 7 – Dynamic Text Extension Attack Surface

Entry Points16
Unprotected0

AJAX Handlers 2

authwp_ajax_wpcf7dtxcontact-form-7-dynamic-text-extension.php:785
noprivwp_ajax_wpcf7dtxcontact-form-7-dynamic-text-extension.php:786

Shortcodes 14

[CF7_GET] includes\shortcodes.php:20
[CF7_POST] includes\shortcodes.php:21
[CF7_URL] includes\shortcodes.php:22
[CF7_referrer] includes\shortcodes.php:23
[CF7_bloginfo] includes\shortcodes.php:24
[CF7_get_post_var] includes\shortcodes.php:25
[CF7_get_custom_field] includes\shortcodes.php:26
[CF7_get_current_var] includes\shortcodes.php:27
[CF7_get_current_user] includes\shortcodes.php:28
[CF7_get_attachment] includes\shortcodes.php:29
[CF7_get_cookie] includes\shortcodes.php:30
[CF7_get_taxonomy] includes\shortcodes.php:31
[CF7_get_theme_option] includes\shortcodes.php:32
[CF7_guid] includes\shortcodes.php:33
WordPress Hooks 22
actionadmin_noticescontact-form-7-dynamic-text-extension.php:62
actionadmin_noticescontact-form-7-dynamic-text-extension.php:74
actionwpcf7_initcontact-form-7-dynamic-text-extension.php:85
actionplugins_loadedcontact-form-7-dynamic-text-extension.php:87
filterwpcf7_form_hidden_fieldscontact-form-7-dynamic-text-extension.php:103
actionwp_enqueue_scriptscontact-form-7-dynamic-text-extension.php:369
actionadmin_initincludes\admin\settings.php:29
actionadmin_menuincludes\admin\settings.php:30
actionadmin_initincludes\admin\update-check.php:20
actionplugins_loadedincludes\admin\update-check.php:23
actionadmin_noticesincludes\admin\update-check.php:126
actionadmin_enqueue_scriptsincludes\admin.php:85
actionwpcf7_admin_initincludes\admin.php:86
actioninitincludes\shortcodes.php:35
filterwpcf7dtx_allow_protocolsincludes\utilities.php:38
filterwpcf7dtx_sanitizeincludes\utilities.php:74
filterwpcf7dtx_escapeincludes\utilities.php:108
filterwpcf7dtx_obfuscateincludes\utilities.php:159
filterwpcf7_messagesincludes\validation.php:33
filterwpcf7_config_validator_available_error_codesincludes\validation.php:49
actionwpcf7_config_validator_validateincludes\validation.php:322
actionplugins_loadedincludes\validation.php:325
Maintenance & Trust

Contact Form 7 – Dynamic Text Extension Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 17, 2026
PHP min version7.4
Downloads1.9M

Community Trust

Rating94/100
Number of ratings100
Active installs100K
Alternatives

Contact Form 7 – Dynamic Text Extension Alternatives

Contact Form 7 : Wysiwyg Field

Contact Form 7 : Wysiwyg Field

contact-form-7-wysiwyg-field

A
85

Add wysiwyg fields to the popular Contact Form 7 plugin.

20 No CVEs
autofill-CF7-BB

autofill-CF7-BB

autofill-cf7-bb

A
85

Add shortcode for fields autofill of Contact Form 7 plugin by URL get variable, by Id or by value, or add new value(s).

10 No CVEs
Database Addon for Contact Form 7 – CFDB7

Database Addon for Contact Form 7 – CFDB7

contact-form-cfdb7

A
90

Save and manage Contact Form 7 messages. Never lose important data. It is a lightweight contact form 7 database plugin.

600K 7 CVEs
ReCaptcha v2 for Contact Form 7

ReCaptcha v2 for Contact Form 7

wpcf7-recaptcha

A
100

Adds reCaptcha v2 from Contact Form 7 5.0.5 that was dropped on Contact Form 7 5.1

200K No CVEs
Redirection for Contact Form 7

Redirection for Contact Form 7

wpcf7-redirect

A
88

Redirect to any page or URL, execute scripts after submission, save data to the database, and unlock additional submission actions for Contact Form 7.

200K 14 CVEs
Developer Profile

Contact Form 7 – Dynamic Text Extension Developer Profile

sevenspark

6 plugins · 126K total installs

71
trust score
Avg Security Score
89/100
Avg Patch Time
395 days
View full developer profile
Detection Fingerprints

How We Detect Contact Form 7 – Dynamic Text Extension

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/contact-form-7-dynamic-text-extension/css/cf7-dtx-admin.css/wp-content/plugins/contact-form-7-dynamic-text-extension/css/cf7-dtx-frontend.css/wp-content/plugins/contact-form-7-dynamic-text-extension/js/cf7-dtx-frontend.js
Script Paths
/wp-content/plugins/contact-form-7-dynamic-text-extension/js/cf7-dtx-frontend.js
Version Parameters
/wp-content/plugins/contact-form-7-dynamic-text-extension/css/cf7-dtx-admin.css?ver=/wp-content/plugins/contact-form-7-dynamic-text-extension/css/cf7-dtx-frontend.css?ver=/wp-content/plugins/contact-form-7-dynamic-text-extension/js/cf7-dtx-frontend.js?ver=

HTML / DOM Fingerprints

HTML Comments
<!-- Dynamic Field Start --><!-- Dynamic Field End --><!-- Dynamic Field Wrapper Start --><!-- Dynamic Field Wrapper End -->
Data Attributes
data-cf7dtx-val
Shortcode Output
<input type="text" name="" value="" size="40" class="wpcf7-form-control wpcf7-dynamic-text" id="" data-cf7dtx-val="
FAQ

Frequently Asked Questions about Contact Form 7 – Dynamic Text Extension