Contact Form 7 5.5

Contact Form 7 5.5 is now available. The main feature is the introduction of the Stripe integration module that brings a simple payment widget to forms. 5.5 also includes some important security enhancements. In addition, a lot of bug-fixes and improvements have been done. Upgrading immediately is recommended.

Stripe integration

The much-needed payment service joins the lineup of Contact Form 7’s officially supported integrations. The Stripe integration module allows you to add a credit-card payment widget into your contact forms in simple steps.

For details, see Stripe integration.

Security constraint on WPCF7_UPLOADS_TMP_DIR

WPCF7_UPLOADS_TMP_DIR is a constant that is used to customize the temporary directory for uploaded files. As part of the security enhancement in 5.5, this constant changes to work only in cases where the value refers to a directory that is located under the WordPress content directory (WP_CONTENT_DIR). Otherwise, the constant will be ignored and the default directory path will be used.

There should be no necessity to have the directory for uploaded files outside the content directory that is under the control of WordPress. If you have an invalid setting in the constant, you should correct it as soon as possible.

KSES filtering on contact form templates

Another security enhancement in 5.5 is to apply the KSES filter to the form template and the email body template. KSES is a set of PHP functions that strips disallowed HTML elements and attributes from the target content. Unless you are a privileged user who has the unfiltered_html capability, you are not allowed to use the disallowed HTML in the contact form editor screen.

Contact Form 7 defines its own list of allowed HTML elements and attributes. Although the list covers most elements and attributes that are often used for form controls, you can also customize it using the wpcf7_kses_allowed_html filter hook, if necessary.

Requires: WordPress 5.7 or higher
Tested up to: WordPress 5.8.1

» Download Contact Form 7 plugin from

Major changes

  • Introduces the Stripe integration module.
  • Sendinblue: Introduces the wpcf7_sendinblue_contact_parameters and wpcf7_sendinblue_email_parameters filter hooks.
  • reCAPTCHA: Introduces the wpcf7_use_recaptcha_net filter hook.
  • Akismet: Introduces the wpcf7_akismet_parameters filter hook.
  • Flamingo: Introduces the wpcf7_flamingo_inbound_message_parameters filter hook.
  • Submission: Introduces posted data hash-related methods.
  • Submission: Introduces the get_result() method and the wpcf7_submission_result filter hook.
  • File uploading: Ignores the WPCF7_UPLOADS_TMP_DIR constant if the value is not within the WordPress content directories.
  • Security: Applies the KSES filter to the form and email body templates.
  • Introduces the wpcf7-spinner class that replaces the ajax-loader class.
  • Improves wpcf7_canonicalize().
  • REST API: Introduces the WPCF7_REST_Controller class and schemas.
  • Avoids deleting the plugin data on uninstall if another version of the plugin is running.
  • Fixed: Several bugs related to backslash handling.
  • Fixed: Form submission did not work correctly when dots used in form-tag names.
  • Config validation: Add a validation item for cases of dots used in form-tag.
  • Drops the support for Dark Mode.

You can browse the full list of changes on GitHub.