Vulnerable on Current Version 5.0.5

Patchstack reviewed the patch submitted in version 5.0.5 on March 24, 2026, and marked it as incomplete, meaning the immediate vulnerability has been patched but the security around it could be hardened even more. These additional security features will be added in the upcoming version 6 of Contact Form 7 – Dynamic Text Extension. I do not yet have a timeline for its release.

—April 8, 2026

For the security of all users, please report security bugs found in the source code of Contact Form 7 – Dynamic Text Extension WordPress plugin through the Wordfence Intelligence Vulnerability Submission Form or the Patchstack Vulnerability Disclosure Program. Both platforms will assist you with verification, CVE assignment, and notify me.

If the security bug or vulnerability is already on those platforms (as is the case here), then I already know about it. To stay updated on this particular report, please see this article here on my website or send me an email. I do not disclose vulnerability report details publicly for security purposes so if that is what you’re looking for, an email is best.

If you send me an email, I can send you more details, because again, I do not disclose those publicly. I am fully aware that this plugin is active on 100,000+ websites, many that are production sites.

To put it in your words, the door is closed. However, to add a lock to the door in the way that would mark this as “complete” requires much more work (for free) and would be a major update, breaking many of those sites the moment they updated. While I’d love to simply turn the key in the lock and walk away, I believe myself to be more courteous than that and want to give people (non-tech people too since not everyone with a WP site is a dev) time to prepare by developing the first version with a warning that walks them through on how to prepare their forms so they don’t break when the key is fully turned.