WP-Safety

Dynamic Text Field For Contact Form 7 Security & Risk Analysis

wordpress.org/plugins/dynamic-text-field-for-contact-form-7

Add Fields Dynamically Contact Form 7 With it you can access a lot of post information e.g. title, slug, URL, ID, and even custom fields with shortco …

1K active installs v1.0 PHP + WP 5.5+ Updated Jan 31, 2026
dynamic-hidden-field-for-contact-form-7dynamic-text-field-for-contact-form-7text-field-and-hidden-field-cf7
99
A · Safe
CVEs total1
Unpatched0
Last CVESep 9, 2025
Download
Safety Verdict

Is Dynamic Text Field For Contact Form 7 Safe to Use in 2026?

Generally Safe

Score 99/100

Dynamic Text Field For Contact Form 7 has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Sep 9, 2025Updated 2mo ago
Risk Assessment

The plugin 'dynamic-text-field-for-contact-form-7' version 1.0 presents a mixed security posture. Static analysis shows good practices in several areas, including no dangerous functions, no file operations, no external HTTP requests, and 100% of SQL queries utilizing prepared statements. Furthermore, output escaping is generally well-handled with 92% of outputs properly escaped, and there are no identified taint flows with unsanitized paths. This indicates a conscientious approach to preventing common vulnerabilities.

However, there are notable areas of concern. The plugin has a history of one known CVE, specifically a Cross-site Scripting (XSS) vulnerability, which is concerning despite being currently patched. The static analysis reveals a complete absence of nonce checks and capability checks across all entry points, which are critical for preventing unauthorized actions and ensuring that only legitimate users can trigger certain plugin functionalities. While the attack surface is limited to shortcodes, the lack of these security mechanisms on these entry points represents a significant weakness.

In conclusion, while the plugin demonstrates strengths in secure coding practices like prepared statements and output escaping, the lack of nonce and capability checks on its shortcode entry points is a significant oversight. The past XSS vulnerability, though patched, highlights a historical weakness that warrants careful monitoring. The absence of these fundamental security checks means that the plugin's core functionality is potentially vulnerable to attacks that could exploit its entry points.

Key Concerns

  • No nonce checks on entry points
  • No capability checks on entry points
  • Past XSS vulnerability (though patched)
  • Minor unescaped output instances
Vulnerabilities
1

Dynamic Text Field For Contact Form 7 Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-58989medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Dynamic Text Field For Contact Form 7 <= 2.0.22 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 9, 2025 Patched in 1.1 (7d)
Code Analysis
Analyzed Mar 16, 2026

Dynamic Text Field For Contact Form 7 Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
1
12 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

92% escaped13 total outputs
Attack Surface

Dynamic Text Field For Contact Form 7 Attack Surface

Entry Points6
Unprotected0

Shortcodes 6

[DYFCF7_get_post_title] main\backend\DYFCF7_frontend.php:95
[DYFCF7_get_current_user] main\backend\DYFCF7_frontend.php:121
[DYFCF7_get_custom_field] main\backend\DYFCF7_frontend.php:150
[DYFCF7_page_url] main\backend\DYFCF7_frontend.php:162
[DYFCF7_get_product] main\backend\DYFCF7_frontend.php:185
[DYFCF7_get_bloginfo] main\backend\DYFCF7_frontend.php:203
WordPress Hooks 10
filterplugin_row_metadynamic-text-field-for-contact-form-7.php:42
actionwpcf7_initmain\backend\DYFCF7_frontend.php:9
actionwpcf7_initmain\backend\DYFCF7_frontend.php:17
actionwpcf7_admin_initmain\backend\DYFCF7_frontend.php:284
actionwpcf7_admin_initmain\backend\DYFCF7_frontend.php:293
filterwpcf7_validate_shortcodefield*main\backend\DYFCF7_frontend.php:302
actionadmin_initmain\resources\DYFCF7-installation-require.php:3
actionadmin_noticesmain\resources\DYFCF7-installation-require.php:7
actionplugins_loadedmain\resources\DYFCF7-language.php:3
filterload_textdomain_mofilemain\resources\DYFCF7-language.php:16
Maintenance & Trust

Dynamic Text Field For Contact Form 7 Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 31, 2026
PHP min version
Downloads7K

Community Trust

Rating100/100
Number of ratings1
Active installs1K
Alternatives

Dynamic Text Field For Contact Form 7 Alternatives

No alternatives data available yet.

Developer Profile

Dynamic Text Field For Contact Form 7 Developer Profile

silverplugins217

21 plugins · 12K total installs

93
trust score
Avg Security Score
99/100
Avg Patch Time
10 days
View full developer profile
Detection Fingerprints

How We Detect Dynamic Text Field For Contact Form 7

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/dynamic-text-field-for-contact-form-7/main/backend/DYFCF7_frontend.php/wp-content/plugins/dynamic-text-field-for-contact-form-7/main/resources/DYFCF7-installation-require.php/wp-content/plugins/dynamic-text-field-for-contact-form-7/main/resources/DYFCF7-language.php

HTML / DOM Fingerprints

CSS Classes
wpcf7-validates-as-shortcodefield
Data Attributes
data-tag-partdata-tag-option
Shortcode Output
[DYFCF7_get_post_title][DYFCF7_get_current_user][DYFCF7_get_custom_field][DYFCF7_page_url]
FAQ

Frequently Asked Questions about Dynamic Text Field For Contact Form 7