Hi @kkow , this is something I am aware of. It’ is currently low on my list of priorities because the “bug” that is reported is one of the primary “features” which is the ability to code your own shortcodes and run them through CF7, and the vulnerability is that I am not validating or verifying any of your custom shortcodes.
While we have permissions in place for using allowlists in our built-in shortcodes, I think we will have to do the same with custom shortcodes, as in, make an allowlist of shortcodes and their attributes and permissions.
I have to put more thought into it. It will definitely inhibit a lot of users and break a lot of sites if implemented poorly. I’m open to suggestions if you have any 🙂
Hey fam, I’ll be working on this today. Stay tuned!
Just posting an update to say I am still focusing on this, this week. I’m still coding the update; the next version from me will be version 6.0.0 because I’m overhauling a lot of the under-the-hood code to use namespaces and classes and to keep plugin itself as light as possible (I hate unnecessary bloat). The settings page is also getting updated to handle the needed allow lists.
Once I move into the testing phase, I’ll also be writing documentation alongside it, so you’ll likely see that on my website before it’s released.
For those of you who want to keep getting these updates, click the “subscribe” button on the sidebar of this thread. Thanks!
I just released version 5.0.4 to patch the vulnerability. If the plugin is set to update automatically on your site(s), then there’s nothing else you need to do. I shelved the updates for version 6 so I could publish this patch today. Thank you for your patience!
