Contact Form 7 version 5.9.5 is now available. This minor update release includes a few improvements and security enhancements. Upgrading to this version as soon as possible is recommended.
Heads-up about the form action attribute
Contact Form 7 provides the wpcf7_form_action_url
filter hook for the action
attribute value of a contact form. This filter is useful for adding a query to set tracking code to the form URL.
Employing this filter to lead form submitters to a different site is not the intended use, and can constitute a security risk. Form submissions must be directed to the same address as the origin site. To mitigate this risk, Contact Form 7 5.9.5 introduces a restriction on the action
attribute value—if an invalid value is detected, form rendering will be cancelled and an error message will be displayed.
Major changes
- Block editor: Removes redundant codes that register scripts.
- Introduces a restriction on form action attribute abuses.
You can browse the full list of changes on GitHub.
Requires: WordPress 6.3 or higher
Tested up to: WordPress 6.5.3