Title: Unauthenticated Arbitrary Shortcode Execution
Last modified: December 18, 2025

---

# Unauthenticated Arbitrary Shortcode Execution

 *  Resolved [andresduro](https://wordpress.org/support/users/andresduro/)
 * (@andresduro)
 * [5 months, 3 weeks ago](https://wordpress.org/support/topic/unauthenticated-arbitrary-shortcode-execution-2/)
 * The The Contact Form 7 – Dynamic Text Extension plugin for WordPress is vulnerable
   to arbitrary shortcode execution in all versions up to, and including, 5.0.3.
   This is due to the software allowing users to execute an action that does not
   properly validate a value before running do_shortcode. This makes it possible
   for unauthenticated attackers to execute arbitrary shortcodes.
 * [https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/contact-form-7-dynamic-text-extension/contact-form-7-dynamic-text-extension-503-unauthenticated-arbitrary-shortcode-execution](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/contact-form-7-dynamic-text-extension/contact-form-7-dynamic-text-extension-503-unauthenticated-arbitrary-shortcode-execution)

Viewing 2 replies - 1 through 2 (of 2 total)

 *  [jchambo](https://wordpress.org/support/users/jchambo/)
 * (@jchambo)
 * [5 months, 1 week ago](https://wordpress.org/support/topic/unauthenticated-arbitrary-shortcode-execution-2/#post-18771873)
 * No response from the DEV?
 *  Plugin Author [Tessa (they/them), AuRise Creative](https://wordpress.org/support/users/tessawatkinsllc/)
 * (@tessawatkinsllc)
 * [5 months, 1 week ago](https://wordpress.org/support/topic/unauthenticated-arbitrary-shortcode-execution-2/#post-18772451)
 * Hello! I just released version 5.0.4 to patch the vulnerability. If the plugin
   is set to update automatically on your site(s), then there’s nothing else you
   need to do. I shelved the updates for version 6 so I could publish this patch
   today. Thank you for your patience!

Viewing 2 replies - 1 through 2 (of 2 total)

You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Funauthenticated-arbitrary-shortcode-execution-2%2F%3Foutput_format%3Dmd&locale=en_US)
to reply to this topic.

 * ![](https://ps.w.org/contact-form-7-dynamic-text-extension/assets/icon-256x256.
   png?rev=3019574)
 * [Contact Form 7 - Dynamic Text Extension](https://wordpress.org/plugins/contact-form-7-dynamic-text-extension/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/contact-form-7-dynamic-text-extension/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/contact-form-7-dynamic-text-extension/)
 * [Active Topics](https://wordpress.org/support/plugin/contact-form-7-dynamic-text-extension/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/contact-form-7-dynamic-text-extension/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/contact-form-7-dynamic-text-extension/reviews/)

 * 3 replies
 * 3 participants
 * Last reply from: [Tessa (they/them), AuRise Creative](https://wordpress.org/support/users/tessawatkinsllc/)
 * Last activity: [5 months, 1 week ago](https://wordpress.org/support/topic/unauthenticated-arbitrary-shortcode-execution-2/#post-18772451)
 * Status: resolved