Contact Form 7 5.5 is now available. The main feature is the introduction of the Stripe integration module that brings a simple payment widget to forms. 5.5 also includes some important security enhancements. In addition, a lot of bug-fixes and improvements have been done. Upgrading immediately is recommended.
The much-needed payment service joins the lineup of Contact Form 7’s officially supported integrations. The Stripe integration module allows you to add a credit-card payment widget into your contact forms in simple steps.
For details, see Stripe integration.
Security constraint on WPCF7_UPLOADS_TMP_DIR
WPCF7_UPLOADS_TMP_DIR is a constant that is used to customize the temporary directory for uploaded files. As part of the security enhancement in 5.5, this constant changes to work only in cases where the value refers to a directory that is located under the WordPress content directory (
WP_CONTENT_DIR). Otherwise, the constant will be ignored and the default directory path will be used.
There should be no necessity to have the directory for uploaded files outside the content directory that is under the control of WordPress. If you have an invalid setting in the constant, you should correct it as soon as possible.
KSES filtering on contact form templates
Another security enhancement in 5.5 is to apply the KSES filter to the form template and the email body template. KSES is a set of PHP functions that strips disallowed HTML elements and attributes from the target content. Unless you are a privileged user who has the
unfiltered_html capability, you are not allowed to use the disallowed HTML in the contact form editor screen.
Contact Form 7 defines its own list of allowed HTML elements and attributes. Although the list covers most elements and attributes that are often used for form controls, you can also customize it using the
wpcf7_kses_allowed_html filter hook, if necessary.
Requires: WordPress 5.7 or higher
Tested up to: WordPress 5.8.1
» Download Contact Form 7 plugin from WordPress.org
- Introduces the Stripe integration module.
- Sendinblue: Introduces the
- reCAPTCHA: Introduces the
- Akismet: Introduces the
- Flamingo: Introduces the
- Submission: Introduces posted data hash-related methods.
- Submission: Introduces the
get_result()method and the
- File uploading: Ignores the
WPCF7_UPLOADS_TMP_DIRconstant if the value is not within the WordPress content directories.
- Security: Applies the KSES filter to the form and email body templates.
- Introduces the
wpcf7-spinnerclass that replaces the
- REST API: Introduces the
WPCF7_REST_Controllerclass and schemas.
- Avoids deleting the plugin data on uninstall if another version of the plugin is running.
- Fixed: Several bugs related to backslash handling.
- Fixed: Form submission did not work correctly when dots used in form-tag names.
- Config validation: Add a validation item for cases of dots used in form-tag.
- Drops the support for Dark Mode.
You can browse the full list of changes on GitHub.