WP-Safety

ApplyOnline – Application Form Builder and Manager Security & Risk Analysis

wordpress.org/plugins/apply-online

Powerful & intuitive plugin to post ads and start receiving applications online.

3K active installs v2.6.8.1 PHP 7.0+ WP 5.0+ Updated Feb 24, 2026
contact-formcustom-formform-builderpayment-formwp-form
97
A · Safe
CVEs total6
Unpatched0
Last CVEJan 15, 2025
Plugin page Download
Safety Verdict

Is ApplyOnline – Application Form Builder and Manager Safe to Use in 2026?

Generally Safe

Score 97/100

ApplyOnline – Application Form Builder and Manager has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Jan 15, 2025Updated 1mo ago
Risk Assessment

The 'apply-online' plugin v2.6.8.1 presents a mixed security posture. While it demonstrates some good practices, such as a relatively low number of critical and high severity vulnerabilities historically and a good percentage of SQL queries using prepared statements and properly escaped outputs, there are significant areas of concern. The presence of two AJAX handlers without authentication checks is a direct entry point for potential unauthorized actions. Furthermore, the historical vulnerability data, with six medium severity CVEs, particularly related to 'Files or Directories Accessible to External Parties', 'Missing Authorization', and 'Cross-site Scripting', indicates a recurring pattern of exploitable weaknesses. Although no critical or high vulnerabilities are currently unpatched, the history suggests a tendency for the plugin to be a target for security flaws. The use of the `unserialize` function, a known risky function, also adds to the potential attack surface, especially if user-controlled data is involved without proper sanitization. Overall, while not currently in a critical state, the plugin requires careful monitoring and proactive patching due to its past and ongoing exploitable characteristics.

Key Concerns

  • AJAX handlers without auth checks
  • Use of unserialize function
  • 6 medium severity CVEs in history
  • SQL queries not fully prepared
  • Output escaping not fully utilized
Vulnerabilities
6

ApplyOnline – Application Form Builder and Manager Security Vulnerabilities

CVEs by Year

3 CVEs in 2023
2023
2 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
6

6 total CVEs

CVE-2025-22721medium · 4.3Missing Authorization

ApplyOnline – Application Form Builder and Manager <= 2.6.7.1 - Missing Authorization

Jan 15, 2025 Patched in 2.6.7.2 (7d)
CVE-2024-10098medium · 5.3Files or Directories Accessible to External Parties

ApplyOnline <= 2.6.2 - Unauthenticated Application Disclosure

Oct 31, 2024 Patched in 2.6.3 (209d)
CVE-2024-2036medium · 4.3Missing Authorization

ApplyOnline – Application Form Builder and Manager <= 2.6.2 - Missing Authorization to Sensitive Information Exposure

May 21, 2024 Patched in 2.6.3 (15d)
CVE-2023-46080medium · 4.3Missing Authorization

ApplyOnline – Application Form Builder and Manager <= 2.5.2 - Missing Authorization

Oct 16, 2023 Patched in 2.5.4 (99d)
CVE-2023-45756medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ApplyOnline – Application Form Builder and Manager <= 2.5.5 - Reflected Cross-Site Scripting

Oct 12, 2023 Patched in 2.5.6 (166d)
CVE-2023-24391medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ApplyOnline – Application Form Builder and Manager <= 2.5.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jun 26, 2023 Patched in 2.5.6 (597d)
Code Analysis
Analyzed Mar 16, 2026

ApplyOnline – Application Form Builder and Manager Code Analysis

Dangerous Functions
6
Raw SQL Queries
2
1 prepared
Unescaped Output
121
242 escaped
Nonce Checks
6
Capability Checks
17
File Operations
3
External Requests
1
Bundled Libraries
1

Dangerous Functions Found

unserializereturn @unserialize( $request['body'] );class-addons-update.php:153
unserializeif(substr($key, 0, 9) == '_aol_app_') $form_fields[$key] = unserialize ($val[0]);includes\applyonline-functions.php:149
unserialize$form_fields[$key] = unserialize($metas[$key][0]);includes\applyonline-functions.php:155
unserializeif (is_string(unserialize($field->meta_value))) update_post_meta ($field->post_id, $field->meta_key,includes\class-applyonline-updater.php:155
unserializeif (is_string(unserialize($field->meta_value))) update_post_meta ($field->post_id, $field->meta_key,includes\class-applyonline-updater.php:155
unserializeif (is_string(unserialize($field->meta_value))) update_post_meta ($field->post_id, $field->meta_key,includes\class-applyonline-updater.php:155

Bundled Libraries

Select2

SQL Query Safety

33% prepared3 total queries

Output Escaping

67% escaped363 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

7 flows3 with unsanitized paths
application_quick_view (admin\class-applyonline-admin.php:937)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

ApplyOnline – Application Form Builder and Manager Attack Surface

Entry Points14
Unprotected2

AJAX Handlers 7

authwp_ajax_application_table_filter_resultadmin\class-applyonline-admin.php:59
authwp_ajax_aol_template_renderadmin\class-applyonline-admin.php:1004
authwp_ajax_aol_ad_form_renderadmin\class-applyonline-admin.php:1005
authwp_ajax_aol_dismiss_noticeincludes\class-applyonline.php:195
authwp_ajax_aol_all_adsincludes\class-applyonline.php:199
authwp_ajax_aol_app_formpublic\class-applyonline-public.php:709
noprivwp_ajax_aol_app_formpublic\class-applyonline-public.php:710

Shortcodes 7

[link] includes\applyonline-functions.php:431
[aol] public\class-applyonline-public.php:376
[aol_ads] public\class-applyonline-public.php:377
[aol_ad] public\class-applyonline-public.php:378
[aol_form] public\class-applyonline-public.php:379
[aol_filters] public\class-applyonline-public.php:380
[aol_features] public\class-applyonline-public.php:381
WordPress Hooks 63
filtercomment_row_actionsadmin\class-applyonline-admin.php:56
actionadd_meta_boxesadmin\class-applyonline-admin.php:366
actionadd_meta_boxesadmin\class-applyonline-admin.php:455
filtermanage_aol_ad_posts_columnsadmin\class-applyonline-admin.php:456
actionmanage_aol_ad_posts_custom_columnadmin\class-applyonline-admin.php:457
actioninitadmin\class-applyonline-admin.php:563
actionedit_form_after_titleadmin\class-applyonline-admin.php:566
filterpost_row_actionsadmin\class-applyonline-admin.php:567
actionadmin_initadmin\class-applyonline-admin.php:568
actionadd_meta_boxesadmin\class-applyonline-admin.php:569
filterwp_insert_post_dataadmin\class-applyonline-admin.php:570
actioninitadmin\class-applyonline-admin.php:571
actionmanage_posts_extra_tablenavadmin\class-applyonline-admin.php:572
actionadmin_action_aol_modal_boxadmin\class-applyonline-admin.php:575
filterpost_date_column_statusadmin\class-applyonline-admin.php:577
filtermanage_edit-aol_application_columnsadmin\class-applyonline-admin.php:580
actionmanage_aol_application_posts_custom_columnadmin\class-applyonline-admin.php:583
actionpre_get_postsadmin\class-applyonline-admin.php:586
filterbulk_actions-edit-aol_applicationadmin\class-applyonline-admin.php:588
filterhandle_bulk_actions-edit-aol_applicationadmin\class-applyonline-admin.php:589
actionaol_print_header_leftadmin\class-applyonline-admin.php:813
actionaol_print_header_rightadmin\class-applyonline-admin.php:819
actionsave_postadmin\class-applyonline-admin.php:999
actionadd_meta_boxesadmin\class-applyonline-admin.php:1001
actionadmin_menuadmin\class-applyonline-admin.php:1444
actionadmin_initadmin\class-applyonline-admin.php:1447
filterplugin_row_metaadmin\class-applyonline-admin.php:1449
filteroption_page_capability_aol_settings_groupadmin\class-applyonline-admin.php:1452
filteroption_page_capability_aol_ad_templateadmin\class-applyonline-admin.php:1453
filteroption_page_capability_aol_adsadmin\class-applyonline-admin.php:1454
filteroption_page_capability_aol_applicationsadmin\class-applyonline-admin.php:1455
actionupdate_option_aol_slugadmin\class-applyonline-admin.php:1708
actionupdate_option_aol_ad_typesadmin\class-applyonline-admin.php:1709
filterpre_set_site_transient_update_pluginsclass-addons-update.php:84
filterplugins_apiclass-addons-update.php:87
filterparent_fileincludes\applyonline-functions.php:346
actioninitincludes\class-applyonline.php:86
actioninitincludes\class-applyonline.php:162
actionadmin_enqueue_scriptsincludes\class-applyonline.php:177
actionadmin_enqueue_scriptsincludes\class-applyonline.php:178
actionpre_get_postsincludes\class-applyonline.php:181
filterposts_joinincludes\class-applyonline.php:184
filterposts_whereincludes\class-applyonline.php:185
filterposts_distinctincludes\class-applyonline.php:186
actionsave_postincludes\class-applyonline.php:188
filterdisplay_post_statesincludes\class-applyonline.php:191
actionadmin_noticesincludes\class-applyonline.php:194
filterwp_dropdown_users_argsincludes\class-applyonline.php:197
actionwp_enqueue_scriptsincludes\class-applyonline.php:213
actionwp_enqueue_scriptsincludes\class-applyonline.php:214
actionpre_get_postsincludes\class-applyonline.php:217
actionset_current_userincludes\class-applyonline.php:218
actionplugins_loadedincludes\class-applyonline.php:232
actionrest_api_initincludes\class-applyonline.php:246
filtergettextincludes\class-applyonline.php:448
filtergettext_with_contextincludes\class-applyonline.php:449
filterbody_classpublic\class-applyonline-public.php:176
filterthe_contentpublic\class-applyonline-public.php:177
filterexcerpt_morepublic\class-applyonline-public.php:444
filteraol_form_errorspublic\class-applyonline-public.php:711
filterupload_dirpublic\class-applyonline-public.php:775
filteraol_form_errorsrest\class-applyonline-rest-functions.php:26
filterupload_dirrest\class-applyonline-rest-functions.php:89
Maintenance & Trust

ApplyOnline – Application Form Builder and Manager Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 24, 2026
PHP min version7.0
Downloads237K

Community Trust

Rating82/100
Number of ratings41
Active installs3K
Alternatives

ApplyOnline – Application Form Builder and Manager Alternatives

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

fluentform

B
82

Get a fast contact form plugin. Create advanced forms using drag and drop form builder with all smart features.

600K 27 CVEs
SureForms – Contact Form, Payment Form & Other Custom Form Builder

SureForms – Contact Form, Payment Form & Other Custom Form Builder

sureforms

A
88

The most beginner-friendly, AI Form Builder for WordPress to create contact forms, payment forms & other custom forms with advanced features, with &hellip;

400K 15 CVEs
Custom Form Builder, Contact Forms, Payment Forms, Surveys, Polls

Custom Form Builder, Contact Forms, Payment Forms, Surveys, Polls

powr-pack

A
91

The best 60 plugins for WP. Easy contact form plugin, social feed, popup, countdown, and more.

1K 2 CVEs
The Innovative Form Builder – IvyForms

The Innovative Form Builder – IvyForms

ivyforms

A
100

The most innovative WordPress Form Builder plugin. Build awesome contact, order, registration, custom forms, and more in minutes.

100 No CVEs
FormGlut — Contact, Newsletter & Multi-step Form Builder

FormGlut — Contact, Newsletter & Multi-step Form Builder

formglut

A
100

User friendly, Lightweight, Drag & Drop form builder to create your WordPress Forms

10 No CVEs
Developer Profile

ApplyOnline – Application Form Builder and Manager Developer Profile

Farhan Noor

2 plugins · 12K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
182 days
View full developer profile
Detection Fingerprints

How We Detect ApplyOnline – Application Form Builder and Manager

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/apply-online/css/select2.min.css/wp-content/plugins/apply-online/css/applyonline-admin.css/wp-content/plugins/apply-online/select2/css/select2.min.css/wp-content/plugins/apply-online/css/jquery-ui.min.css/wp-content/plugins/apply-online/js/applyonline-admin.js/wp-content/plugins/apply-online/js/select2.min.js
Script Paths
/wp-content/plugins/apply-online/js/applyonline-admin.js/wp-content/plugins/apply-online/js/select2.min.js
Version Parameters
apply-online/css/select2.min.css?ver=apply-online/css/applyonline-admin.css?ver=apply-online/select2/css/select2.min.css?ver=apply-online/css/jquery-ui.min.css?ver=apply-online/js/applyonline-admin.js?ver=apply-online/js/select2.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
aol-input-fieldaol-field-divaol-submit-buttonaol-form-wrapaol-form-builder-wrap
HTML Comments
<!-- Default value --><!-- For a select option --><!-- For a radio option --><!-- For a checkbox option -->+11 more
Data Attributes
data-aol-field-typedata-aol-form-iddata-aol-field-iddata-aol-field-namedata-aol-field-placeholder
JS Globals
aol_admin
REST Endpoints
/wp-json/applyonline/v1/forms/wp-json/applyonline/v1/submissions/wp-json/applyonline/v1/settings
Shortcode Output
<form id="apply-online-form"<div class="apply-online-form-wrapper"<input type="hidden" name="apply_online_nonce" value="
FAQ

Frequently Asked Questions about ApplyOnline – Application Form Builder and Manager