What was the motivation for the 4.2.0 security changes?

Hi @daymobrew,

Please see the doc linked in the changelog and admin panel for full details: https://sevenspark.com/docs/contact-form-7-dynamic-text-extension/allow-data-access

The Background & Security Considerations section covers this, but in short, the CF7_get_custom_field shortcode allows access to any metadata for any post on the site. That could include sensitive data that not all users should have access to, and shouldn’t be displayed publicly. Potentially, a user with Contributor+ credentials could maliciously or unintentionally reveal that data as anyone with edit capabilities can add the shortcode post content as well as contact forms.

In order to prevent this potential security vulnerability, metadata access is now disallowed by default, but access can be configured in the settings by the admin.

For sites where some users with edit capabilities may be untrusted, the admin would need to allow-list just the keys that are safe for any user to access.

For sites where all users with edit capabilities are trusted, the admin can open up full access if they prefer.

You won’t need to edit your forms, unless you’re currently exposing sensitive data that needs to be removed. You’ll only need to use the allow list if you are using one of the shortcodes in question.

Again please see the link above for complete details on the potential vulnerability, how the plugin has changed, and how to test for and resolve any issues after updating using the new tools provided. (It should be very quick and easy using the form scanner).

Hope that helps!

Chris

Well, I wrote out a detailed reply, which was then auto-held for moderation by the WP forum system. Not sure when it’ll be reviewed/approved, so in the meantime I’d recommend reading through the guide we’ve linked to in the changelog and admin panel (post-update).

Hopefully this one doesn’t get held up as well.

Thanks for the lengthy reply. Very helpful.

I’d read the guide but I was looking at it from a ‘this affects me how’ viewpoint. I can see that I will need to update one of my blog posts so that _sku custom field can be referenced by CF7_get_custom_field.

You’re welcome! Yes, if you run the Form Scanner it should auto-find that field and allow you to just select it and add it to the Allow List. Or of course you can add it to the Allow List directly ??