Subscribing for follow-up
Yes to both questions. When a security vulnerability is reported on either the Wordfence Intelligence Vulnerability Submission Form or the Patchstack Vulnerability Disclosure Program, I am now automatically notified. More often than not, the report remains private until it is patched to avoid adding additional risks to sites by disclosing details. For updates on this particular report, please see this article here on my website or send me an email. It is for that same reason that I do not disclose vulnerability report details publicly.
Patchstack reviewed the patch submitted in version 5.0.5 on March 24, 2026, and marked it as incomplete, meaning the immediate vulnerability has been patched but the security around it could be hardened even more. These additional security features will be added in the upcoming version 6 of Contact Form 7 – Dynamic Text Extension. I do not yet have a timeline for its release.
—April 8, 2026
For the security of all users, please do not report security bugs or vulnerabilities in these support forums. Thank you!
