Calculated Fields Form Security & Risk Analysis
wordpress.org/plugins/calculated-fields-formThe CFF plugin allows you to create both simple and professional forms. Its form builder includes dynamic calculated fields and many other controls.
Is Calculated Fields Form Safe to Use in 2026?
Generally Safe
Score 86/100Calculated Fields Form has a strong security track record. Known vulnerabilities have been patched promptly.
The "calculated-fields-form" plugin v5.4.5.1 exhibits a mixed security posture. On the positive side, the static analysis reveals a robust implementation regarding entry points, with all identified AJAX handlers, REST API routes, shortcodes, and cron events appearing to have proper authentication and permission checks. The plugin also demonstrates good practices with a high percentage of SQL queries using prepared statements and a strong adherence to output escaping. Furthermore, the taint analysis shows no critical or high-severity vulnerabilities, and there are no unsanitized paths identified.
However, the plugin's vulnerability history is a significant concern. With a total of 17 known CVEs, including one critical and one high-severity vulnerability, it indicates a recurring pattern of security weaknesses. The common vulnerability types listed, such as missing authorization, CSRF, and various forms of injection and XSS, suggest that while the current version might be free of *unpatched* critical issues, the historical prevalence of these types points to potential systemic flaws or a tendency to introduce new vulnerabilities. The presence of the `unserialize` dangerous function, while not directly flagged as a vulnerability in the static analysis, is a function often associated with security risks if not handled with extreme care, especially when dealing with user-supplied data.
In conclusion, while the current static analysis for v5.4.5.1 shows good implementation of security best practices and a clean taint analysis, the extensive and severe historical vulnerability record for this plugin cannot be ignored. This suggests a higher underlying risk that, despite current efforts, future versions or edge cases could still pose a threat. Users should exercise caution and remain vigilant for future updates and security advisories.
Key Concerns
- High number of historical CVEs (17 total)
- 1 critical CVE in history
- 1 high CVE in history
- Use of dangerous function: unserialize
Calculated Fields Form Security Vulnerabilities
CVEs by Year
Severity Breakdown
17 total CVEs
Calculated Fields Form <= 5.4.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Form Settings
Calculated Fields Form <= 5.4.4.1 - Missing Authorization
Calculated Fields Form <= 5.3.58 - Cross-Site Request Forgery
Calculated Fields Form <= 5.2.61 - Authenticated (Admin+) Stored Cross-Site Scripting
Calculated Fields Form <= 5.2.61 - Authenticated (Admin+) Stored Cross-Site Scripting
Calculated Fields Form <= 5.2.63 - Authenticated (Admin+) Stored Cross-Site Scripting
Calculated Fields Form <= 5.2.63 - Denial of Service
Calculated Fields Form <= 5.2.45 - HTML Injection
Calculated Fields Form <= 1.2.54 - Reflected Cross-Site Scripting
Calculated Fields Form Professional <= 5.1.56 - Unauthenticated Stored Cross-Site Scripting
Calculated Fields Form <= 1.2.52 - Authenticated (Contributor+) Stored Cross-Site Scripting
Calculated Fields Form <= 1.2.28 - Authenticated (Contributor+) Open Redirect via Shortcode
Calculated Fields Form <= 1.2.40 - Authenticated (Admin+) Stored Cross-Site Scripting
Calculated Fields Form <= 1.1.120 - Cross-Site Request Forgery
Calculated Fields Form <= 1.1.150 - Authenticated (Administrator+) Stored Cross-Site Scripting
Calculated Fields Form <= 1.0.353 - Authenticated Stored Cross-Site Scripting
Calculated Fields Form <= 1.0.11 - Cross-Site Request Forgery to SQL Injection
Calculated Fields Form Code Analysis
Dangerous Functions Found
Bundled Libraries
SQL Query Safety
Output Escaping
Data Flow Analysis
Calculated Fields Form Attack Surface
AJAX Handlers 2
Shortcodes 3
WordPress Hooks 74
Scheduled Events 1
Maintenance & Trust
Calculated Fields Form Maintenance & Trust
Maintenance Signals
Community Trust
Calculated Fields Form Alternatives
Cost Calculator for Contact Form 7 – Price Calculator Free
cf7-cost-calculator-price-calculation
With Contact Form 7 Cost Calculator – Price Calculation Form you can create forms with dynamically calculated fields to display the calculated values!
Atlas Discuss Quote Form Demo
atlas-discuss-quote-form
An easy to use Quote Form management system that enables users to submit Quote maintain by wordpress backend.
Smart AI Forms – AI Form Builder for WordPress
smart-ai-forms-lite
The only WordPress form builder that generates complete forms from a plain English prompt. No API key needed. Drag, drop, or just describe it.
HelloForm
helloform
A customizable contact form plugin for creating quote requests with HelloForm’s drag & drop builder and reCAPTCHA support.
Taiwan Web Designs Quote Popup
taiwanweb-quote-popup
A powerful multi-step popup form to capture leads and quotes. Easy setup, beautiful design, CSV export for email marketing.
Calculated Fields Form Developer Profile
34 plugins · 89K total installs
How We Detect Calculated Fields Form
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/calculated-fields-form/css/external/select2/select2.min.css/wp-content/plugins/calculated-fields-form/css/external/jquery-ui/jquery-ui.theme.min.css/wp-content/plugins/calculated-fields-form/css/external/jquery-ui/jquery-ui.min.css/wp-content/plugins/calculated-fields-form/css/external/jquery-ui/jquery-ui.structure.min.css/wp-content/plugins/calculated-fields-form/css/external/font-awesome/css/font-awesome.min.css/wp-content/plugins/calculated-fields-form/css/external/bootstrap/css/bootstrap.min.css/wp-content/plugins/calculated-fields-form/css/cff-style.css/wp-content/plugins/calculated-fields-form/css/admin-style.css+75 more/wp-content/plugins/calculated-fields-form/js/external/codemirror/lib/codemirror.js/wp-content/plugins/calculated-fields-form/js/external/codemirror/mode/css/css.js/wp-content/plugins/calculated-fields-form/js/external/codemirror/mode/javascript/javascript.js/wp-content/plugins/calculated-fields-form/js/external/tinymce/tinymce.min.js/wp-content/plugins/calculated-fields-form/js/external/tinymce/jquery.tinymce.min.js/wp-content/plugins/calculated-fields-form/js/external/codemirror/addon/edit/matchbrackets.js+65 more/wp-content/plugins/calculated-fields-form/css/external/select2/select2.min.css?ver=/wp-content/plugins/calculated-fields-form/css/external/jquery-ui/jquery-ui.theme.min.css?ver=/wp-content/plugins/calculated-fields-form/css/external/jquery-ui/jquery-ui.min.css?ver=/wp-content/plugins/calculated-fields-form/css/external/jquery-ui/jquery-ui.structure.min.css?ver=/wp-content/plugins/calculated-fields-form/css/external/font-awesome/css/font-awesome.min.css?ver=/wp-content/plugins/calculated-fields-form/css/external/bootstrap/css/bootstrap.min.css?ver=/wp-content/plugins/calculated-fields-form/css/cff-style.css?ver=/wp-content/plugins/calculated-fields-form/css/admin-style.css?ver=/wp-content/plugins/calculated-fields-form/css/admin-edit-style.css?ver=/wp-content/plugins/calculated-fields-form/css/external/tinymce/skins/lightgray/content.min.css?ver=/wp-content/plugins/calculated-fields-form/css/external/tinymce/skins/lightgray/skin.min.css?ver=/wp-content/plugins/calculated-fields-form/css/external/codemirror/lib/codemirror.css?ver=/wp-content/plugins/calculated-fields-form/js/external/codemirror/lib/codemirror.js?ver=/wp-content/plugins/calculated-fields-form/js/external/codemirror/mode/css/css.js?ver=/wp-content/plugins/calculated-fields-form/js/external/codemirror/mode/javascript/javascript.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/tinymce.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/jquery.tinymce.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/codemirror/addon/edit/matchbrackets.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/paste/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/tabfocus/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/media/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/image/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/imagetools/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/lists/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/autoresize/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/codesample/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/code/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/link/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/hr/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/wordcount/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/textcolor/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/colorpicker/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/charmap/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/lists/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/emoticons/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/fullscreen/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/importcss/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/anchor/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/imagetools/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/legacyoutput/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/layer/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/advlist/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/autolink/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/directionality/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/insertdatetime/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/nonbreaking/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/visualblocks/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/visualchars/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/wordcount/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/fullscreen/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/media/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/image/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/imagetools/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/codesample/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/code/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/link/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/hr/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/paste/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/tabfocus/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/textcolor/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/colorpicker/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/charmap/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/lists/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/emoticons/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/fullscreen/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/importcss/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/anchor/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/imagetools/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/legacyoutput/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/layer/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/advlist/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/autolink/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/directionality/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/insertdatetime/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/nonbreaking/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/visualblocks/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/visualchars/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/tinymce/plugins/wordcount/plugin.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/select2/select2.min.js?ver=/wp-content/plugins/calculated-fields-form/js/external/jquery-ui/jquery-ui.min.js?ver=/wp-content/plugins/calculated-fields-form/js/cff_form_decorator.js?ver=/wp-content/plugins/calculated-fields-form/js/cff_scripts.js?ver=/wp-content/plugins/calculated-fields-form/js/admin_scripts.js?ver=HTML / DOM Fingerprints
cff-formcff-containercff-fieldcff-buttoncff-dropdowncff-datepickercff-colorpickercff-section+4 more<!--Calculated Fields Form--><!-- end Calculated Fields Form --><!-- Calculated Fields FormCalculated Fields Form -->data-cff-iddata-cff-field-typedata-cff-field-namedata-cff-form-iddata-cff-sequenceCPCFF_MAIN_instanceCP_CALCULATEDFIELDSF_IDCP_CALCULATEDFIELDSF_CALCULATED_FIELDSCP_CALCULATEDFIELDSF_FORM_LOADED_SCRIPTCP_CALCULATEDFIELDSF_GLOBAL_VARSCP_CALCULATEDFIELDSF_AJAX_URL+2 more[calculated-fields-formcalculated-fields-form id=