Does Abandoned Contact Form 7 have any unpatched vulnerabilities?

Yes — Abandoned Contact Form 7 currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Abandoned Contact Form 7 compatible with WordPress 6.9.4?

According to WordPress.org data, Abandoned Contact Form 7 2.2 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Abandoned Contact Form 7 compatible with PHP 5.6+?

Abandoned Contact Form 7 requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Abandoned Contact Form 7 updated?

Abandoned Contact Form 7 was last updated on Dec 16, 2025. Frequent updates are generally a positive security signal.

What is Abandoned Contact Form 7's security score?

Abandoned Contact Form 7 has a WP-Safety security score of 78/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Abandoned Contact Form 7 Security & Risk Analysis

wordpress.org/plugins/abandoned-contact-form-7

Abandoned Contact Form 7 provides an ability to track the data from Contact Form 7 even if the user does not submit the form.

100 active installs v2.2 PHP 5.6+ WP 3.5+ Updated Dec 16, 2025

abandonedcontact-form-7emailexportwpvip

B · Generally Safe

CVEs total1

Unpatched1

Last CVEJun 23, 2025

Download

Safety Verdict

Is Abandoned Contact Form 7 Safe to Use in 2026?

Mostly Safe

Score 78/100

Abandoned Contact Form 7 is generally safe to use. 1 past CVE were resolved. Keep it updated.

1 known CVE 1 unpatched Last CVE: Jun 23, 2025Updated 3mo ago

Risk Assessment

The "abandoned-contact-form-7" plugin v2.2 presents a concerning security posture due to a significant number of unprotected AJAX handlers and a history of security vulnerabilities. While the plugin demonstrates good practices in handling SQL queries with prepared statements and a high rate of output escaping, the presence of four AJAX handlers without authentication checks creates a substantial attack surface. The taint analysis indicates potential risks with unsanitized paths, although no critical or high severity flows were detected. The plugin's vulnerability history, including a currently unpatched medium severity CVE and a pattern of missing authorization issues, is a strong indicator of ongoing security weaknesses that require immediate attention.

Despite the proper use of prepared statements and reasonable output escaping, the critical flaws lie in the lack of authorization for its entry points and the historical vulnerability trends. The `unserialize` function, while not directly shown to be exploitable in the taint analysis, is inherently risky and warrants careful scrutiny. The vulnerability history strongly suggests a recurring problem with authorization, which, when combined with unprotected AJAX endpoints, could lead to serious security breaches. Users should exercise extreme caution when using this plugin, and immediate patching of the known CVE is paramount.

Key Concerns

4 AJAX handlers without auth checks
1 currently unpatched CVE (medium severity)
5 flows with unsanitized paths
1 dangerous function (unserialize)
0 capability checks

Vulnerabilities

Abandoned Contact Form 7 Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-52817medium · 5.3Missing Authorization

Abandoned Contact Form 7 <= 2.0 - Missing Authorization

Jun 23, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

Abandoned Contact Form 7 Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

99 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserializereturn @unserialize( $request['body'] );inc\class.cf7af.update.php:162

Output Escaping

86% escaped115 total outputs

Data Flows

5 unsanitized

Data Flow Analysis

6 flows5 with unsanitized paths

action__cf7af_restrict_manage_posts (inc\admin\class.cf7af.admin.action.php:371)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

4 unprotected

Abandoned Contact Form 7 Attack Surface

Entry Points4

Unprotected4

AJAX Handlers 4

authwp_ajax_wpcf7forms_abandonedinc\class.cf7af.php:46

noprivwp_ajax_wpcf7forms_abandonedinc\class.cf7af.php:47

authwp_ajax_remove_abandonedinc\class.cf7af.php:48

noprivwp_ajax_remove_abandonedinc\class.cf7af.php:49

WordPress Hooks 32

actionadmin_initinc\admin\class.cf7af.admin.action.php:29

actioninitinc\admin\class.cf7af.admin.action.php:30

actionadd_meta_boxesinc\admin\class.cf7af.admin.action.php:31

actionmanage_cf7af_data_posts_custom_columninc\admin\class.cf7af.admin.action.php:32

actionwpcf7_save_contact_forminc\admin\class.cf7af.admin.action.php:34

actionpre_get_postsinc\admin\class.cf7af.admin.action.php:35

actionadmin_menuinc\admin\class.cf7af.admin.action.php:36

actionrestrict_manage_postsinc\admin\class.cf7af.admin.action.php:37

actionparse_queryinc\admin\class.cf7af.admin.action.php:38

actionadmin_noticesinc\admin\class.cf7af.admin.action.php:78

actionadmin_noticesinc\admin\class.cf7af.admin.action.php:106

actionplugins_loadedinc\admin\class.cf7af.admin.action.php:612

filterwpcf7_editor_panelsinc\admin\class.cf7af.admin.filter.php:25

filterpost_row_actionsinc\admin\class.cf7af.admin.filter.php:26

filtermanage_edit-cf7af_data_sortable_columnsinc\admin\class.cf7af.admin.filter.php:27

filtermanage_cf7af_data_posts_columnsinc\admin\class.cf7af.admin.filter.php:28

filterwpforms_display_media_buttoninc\admin\class.cf7af.admin.filter.php:29

filterpre_get_postsinc\admin\class.cf7af.admin.filter.php:30

actionplugins_loadedinc\admin\class.cf7af.admin.filter.php:239

actionplugins_loadedinc\admin\class.cf7af.admin.php:64

actionplugins_loadedinc\class.cf7af.php:45

actioninitinc\class.cf7af.php:296

actionadmin_initinc\class.cf7af.php:297

actionadmin_noticesinc\class.cf7af.php:344

filterpre_set_site_transient_update_pluginsinc\class.cf7af.update.php:76

filterplugins_apiinc\class.cf7af.update.php:79

actionupgrader_process_completeinc\class.cf7af.update.php:80

actionwp_enqueue_scriptsinc\front\class.cf7af.front.action.php:24

actionwp_footerinc\front\class.cf7af.front.action.php:25

actionplugins_loadedinc\front\class.cf7af.front.action.php:162

actionplugins_loadedinc\front\class.cf7af.front.filter.php:50

actionplugins_loadedinc\front\class.cf7af.front.php:64

Scheduled Events 1

cf7af_send_notify_event

Maintenance & Trust

Abandoned Contact Form 7 Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 16, 2025

PHP min version5.6

Downloads5K

Community Trust

Rating100/100

Number of ratings7

Active installs100

Alternatives

Abandoned Contact Form 7 Alternatives

Metorik – Reports & Email Automation for WooCommerce

metorik-helper

The Metorik Helper helps provide your WooCommerce store with powerful analytics, reports, and tools.

10K 1 CVE

ShopMagic – email automation

shopmagic-for-woocommerce

Flexible email automation and workflows triggered by customer and site events.

10K 2 CVEs

Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent

tablesome

Powerful Table, Form & Mail Automations. Form Entry Management (+ frontend table ), integrate with MailChimp, G Sheets, CF7, WPForms, Elementor, etc.

8K 1 unpatched

MWB HubSpot for WooCommerce – CRM, Abandoned Cart, Email Marketing, Marketing Automation & Analytics

makewebbetter-hubspot-for-woocommerce

Integrate WooCommerce with HubSpot’s free CRM, abandoned cart tracking, email marketing, marketing automation, analytics & more.

7K 1 CVE

Abandoned Cart Recovery for WooCommerce

woo-abandoned-cart-recovery

A simple, effective solution to capture abandoned carts and auto-send reminders. Track logs and generate reports on carts, emails, and more

4K 2 CVEs

Developer Profile

Abandoned Contact Form 7 Developer Profile

ZealousWeb

18 plugins · 7K total installs

trust score

Avg Security Score

98/100

Avg Patch Time

88 days

View full developer profile

Detection Fingerprints

How We Detect Abandoned Contact Form 7

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/abandoned-contact-form-7/inc/admin/js/cf7af-admin.js/wp-content/plugins/abandoned-contact-form-7/inc/admin/css/cf7af-admin.css

Version Parameters

abandoned-contact-form-7/inc/admin/css/cf7af-admin.css?ver=abandoned-contact-form-7/inc/admin/js/cf7af-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

cf7af-abandoned-form

Data Attributes

data-cf7af-nonce

JS Globals

cf7af_ajax_object

FAQ