Contact Form 7 5.9.5

Contact Form 7 version 5.9.5 is now available. This minor update release includes a few improvements and security enhancements. Upgrading to this version as soon as possible is recommended.

Heads-up about the form action attribute

Contact Form 7 provides the wpcf7_form_action_url filter hook for the action attribute value of a contact form. This filter is useful for adding a query to set tracking code to the form URL.

Employing this filter to lead form submitters to a different site is not the intended use, and can constitute a security risk. Form submissions must be directed to the same address as the origin site. To mitigate this risk, Contact Form 7 5.9.5 introduces a restriction on the action attribute value—if an invalid value is detected, form rendering will be cancelled and an error message will be displayed.

Error message reads "Error: Invalid action URL is detected."
Error message

Major changes

  • Block editor: Removes redundant codes that register scripts.
  • Introduces a restriction on form action attribute abuses.

You can browse the full list of changes on GitHub.

Requires: WordPress 6.3 or higher
Tested up to: WordPress 6.5.3

» Download Contact Form 7 plugin from WordPress.org