Does Campaign Monitor Forms by Optin Cat have any unpatched vulnerabilities?

No. All known vulnerabilities in Campaign Monitor Forms by Optin Cat have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Campaign Monitor Forms by Optin Cat compatible with WordPress 6.9.4?

According to WordPress.org data, Campaign Monitor Forms by Optin Cat 2.6.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Campaign Monitor Forms by Optin Cat updated?

Campaign Monitor Forms by Optin Cat was last updated on Dec 2, 2025. Frequent updates are generally a positive security signal.

What is Campaign Monitor Forms by Optin Cat's security score?

Campaign Monitor Forms by Optin Cat has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Campaign Monitor Forms by Optin Cat Security & Risk Analysis

wordpress.org/plugins/campaign-monitor-wp

Campaign Monitor Forms by Optin Cat For WordPress Helps You Get More Email Subscribers. Create Beautiful Campaign Monitor Forms In 2 Minutes.

200 active installs v2.6.1 PHP + WP 3.9.1+ Updated Dec 2, 2025

campaign-monitorcampaign-monitor-blockcampaign-monitor-formcampaign-monitor-widgetcampaign-monitor-wordpress

A · Safe

CVEs total2

Unpatched0

Last CVEDec 2, 2024

Plugin page Download

Safety Verdict

Is Campaign Monitor Forms by Optin Cat Safe to Use in 2026?

Generally Safe

Score 98/100

Campaign Monitor Forms by Optin Cat has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Dec 2, 2024Updated 4mo ago

Risk Assessment

The "campaign-monitor-wp" plugin v2.6.1 exhibits a generally good security posture with several positive indicators. The static analysis shows a complete absence of unprotected AJAX handlers, REST API routes, shortcodes, or cron events, indicating a strong emphasis on securing entry points. The high percentage of prepared statements for SQL queries and properly escaped outputs are also favorable signs. Furthermore, the presence of nonce and capability checks on all identified AJAX handlers contributes to a robust defense against common attack vectors.

However, there are areas that warrant attention. The presence of 2 taint flows with unsanitized paths, although not rated critical or high, suggests potential for issues if these paths are exposed to user input. The static analysis also identified file operations and external HTTP requests, which can be vectors for vulnerabilities if not handled with extreme care and proper sanitization. The plugin's vulnerability history, with two past CVEs, including one high severity and one medium severity, points to recurring security weaknesses, specifically related to Cross-site Scripting and Missing Authorization. While currently unpatched, this history should be a strong signal for ongoing vigilance and proactive security measures.

In conclusion, while "campaign-monitor-wp" v2.6.1 has implemented many good security practices, the past vulnerabilities and the identified unsanitized paths in the taint analysis suggest that it is not entirely risk-free. The plugin has strengths in its secure handling of entry points and data sanitization, but its history indicates a need for continuous monitoring and potentially more rigorous auditing of code paths handling user-controlled data. The outdated bundled library also presents a minor but persistent risk.

Key Concerns

Taint flows with unsanitized paths found
Bundled outdated library: Select2 v3.5.0
Vulnerability history: 1 high severity CVE
Vulnerability history: 1 medium severity CVE

Vulnerabilities

Campaign Monitor Forms by Optin Cat Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

High

Medium

2 total CVEs

CVE-2024-11326medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Campaign Monitor Forms by Optin Cat <= 2.5.7 - Reflected Cross-Site Scripting

Dec 2, 2024 Patched in 2.5.8 (1d)

CVE-2023-5098high · 7.1Missing Authorization

Campaign Monitor Forms <= 2.5.5 - Missing Authorization to Authenticated(Subscriber+) Options Update via ajax_dismiss_notice

Oct 9, 2023 Patched in 2.5.6 (106d)

Code Analysis

Analyzed Mar 16, 2026

Campaign Monitor Forms by Optin Cat Code Analysis

Dangerous Functions

Raw SQL Queries

8 prepared

Unescaped Output

153 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select23.5.0

SQL Query Safety

80% prepared10 total queries

Output Escaping

93% escaped165 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

5 flows2 with unsanitized paths

<eoi-post-types> (includes\eoi-post-types.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Campaign Monitor Forms by Optin Cat Attack Surface

Entry Points6

Unprotected0

AJAX Handlers 6

authwp_ajax_fca_eoi_activityincludes\eoi-activity.php:44

noprivwp_ajax_fca_eoi_activityincludes\eoi-activity.php:45

authwp_ajax_fca_eoi_subscribeincludes\eoi-post-types.php:53

noprivwp_ajax_fca_eoi_subscribeincludes\eoi-post-types.php:54

authwp_ajax_fca_eoi_dismissincludes\eoi-post-types.php:56

authwp_ajax_fca_eoi_uninstallincludes\eoi-uninstall.php:74

WordPress Hooks 55

filterpre_set_site_transient_update_pluginsincludes\classes\edd_sl\EDD_SL_Plugin_Updater.php:75

filterplugins_apiincludes\classes\edd_sl\EDD_SL_Plugin_Updater.php:76

actionafter_plugin_rowincludes\classes\edd_sl\EDD_SL_Plugin_Updater.php:77

actionadmin_initincludes\classes\edd_sl\EDD_SL_Plugin_Updater.php:78

actionin_admin_footerincludes\classes\k\k.php:563

actioninitincludes\eoi-block.php:48

actionenqueue_block_editor_assetsincludes\eoi-block.php:99

actionwp_dashboard_setupincludes\eoi-functions.php:18

filtertiny_mce_before_initincludes\eoi-functions.php:234

actioninitincludes\eoi-post-types.php:21

filtermanage_easy-opt-ins_posts_columnsincludes\eoi-post-types.php:22

actionmanage_easy-opt-ins_posts_custom_columnincludes\eoi-post-types.php:23

filterpost_row_actionsincludes\eoi-post-types.php:24

actionadmin_post_fca_eoi_reset_statsincludes\eoi-post-types.php:27

actionwp_dashboard_setupincludes\eoi-post-types.php:30

actionsave_postincludes\eoi-post-types.php:33

filterthe_contentincludes\eoi-post-types.php:36

actionadmin_enqueue_scriptsincludes\eoi-post-types.php:39

actionadmin_headincludes\eoi-post-types.php:41

actionadmin_noticesincludes\eoi-post-types.php:43

actionadmin_noticesincludes\eoi-post-types.php:46

filteradmin_body_classincludes\eoi-post-types.php:49

filterwp_insert_post_dataincludes\eoi-post-types.php:51

filterget_user_option_screen_layout_easy-opt-insincludes\eoi-post-types.php:58

filterget_user_option_meta-box-order_easy-opt-insincludes\eoi-post-types.php:60

filterpost_updated_messagesincludes\eoi-post-types.php:62

filterbulk_actions-edit-easy-opt-insincludes\eoi-post-types.php:64

filterpost_row_actionsincludes\eoi-post-types.php:66

actionadmin_noticesincludes\eoi-post-types.php:68

filterenter_title_hereincludes\eoi-post-types.php:70

filterinitincludes\eoi-post-types.php:72

filterthe_contentincludes\eoi-post-types.php:79

actionwp_headincludes\eoi-post-types.php:81

actionwp_footerincludes\eoi-post-types.php:82

filterwp_footerincludes\eoi-post-types.php:85

filterfca_eoi_alter_admin_noticesincludes\eoi-post-types.php:93

actionwpincludes\eoi-post-types.php:2164

actionadmin_menuincludes\eoi-powerups.php:22

actionadmin_initincludes\eoi-powerups.php:55

filterfca_eoi_setting_filterincludes\eoi-subscribers.php:27

actionfca_eoi_after_submissionincludes\eoi-subscribers.php:171

actionadmin_menuincludes\eoi-subscribers.php:172

actionplugins_loadedincludes\eoi-subscribers.php:173

filterwp_privacy_personal_data_exportersincludes\eoi-subscribers.php:174

filterwp_privacy_personal_data_erasersincludes\eoi-subscribers.php:175

actionadmin_enqueue_scriptsincludes\eoi-uninstall.php:40

actionadmin_menuincludes\eoi-upgrade.php:57

actionadmin_footerincludes\eoi-upgrade.php:58

filteradmin_footer_textincludes\eoi-upgrade.php:59

actionadmin_noticesincludes\eoi-upgrade.php:60

actionwidgets_initincludes\eoi-widget.php:12

filterfca_eoi_setting_filterpowerups\2_custom_css\powerup.php:11

actionfca_eoi_powerupspowerups\2_custom_css\powerup.php:22

actionadmin_enqueue_scriptspowerups\2_custom_css\powerup.php:23

filterfca_eoi_alter_formpowerups\2_custom_css\powerup.php:24

Maintenance & Trust

Campaign Monitor Forms by Optin Cat Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 2, 2025

PHP min version

Downloads33K

Community Trust

Rating78/100

Number of ratings7

Active installs200

Alternatives

Campaign Monitor Forms by Optin Cat Alternatives

Campaign Monitor Add-On for FormCraft

campaign-monitor-for-formcraft

Create gorgeous optin forms for your site with FormCraft, and grow your Campaign Monitor list.

70 No CVEs

Campaign Monitor for WordPress

forms-for-campaign-monitor

Make it easy for customers to subscribe to your Campaign Monitor mailing lists using any of the 5 elegant sign-up forms.

2K 1 unpatched

Contact Form 7 – Campaign Monitor Addon

contact-form-7-campaignmonitor-addon

Add the capability to create newsletter opt-in forms with Contact Form 7. Automatically submit subscribers to predetermined lists in Campaign Monitor.

100 No CVEs

CM Commerce for WooCommerce

receiptful-for-woocommerce

CM Commerce, the all-in-one marketing app for your WooCommerce store, increasing sales with automated email campaigns & widgets. Simply sell more.

100 No CVEs

Plugin Name: CM Subscriber Stats

cm-subscriber-stats

See your email list subscriber statistics on your WordPress dashboard.

20 No CVEs

Developer Profile

Campaign Monitor Forms by Optin Cat Developer Profile

fatcatapps

13 plugins · 67K total installs

trust score

Avg Security Score

93/100

Avg Patch Time

242 days

View full developer profile

Detection Fingerprints

How We Detect Campaign Monitor Forms by Optin Cat

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/campaign-monitor-wp/includes/css/eoi-admin-style.css/wp-content/plugins/campaign-monitor-wp/includes/css/eoi-public-style.css/wp-content/plugins/campaign-monitor-wp/includes/js/admin/eoi-admin-settings.js/wp-content/plugins/campaign-monitor-wp/includes/js/public/eoi-public.js

Script Paths

/wp-content/plugins/campaign-monitor-wp/includes/js/admin/eoi-admin-settings.js/wp-content/plugins/campaign-monitor-wp/includes/js/public/eoi-public.js

Version Parameters

campaign-monitor-wp/includes/css/eoi-admin-style.css?ver=campaign-monitor-wp/includes/css/eoi-public-style.css?ver=campaign-monitor-wp/includes/js/admin/eoi-admin-settings.js?ver=campaign-monitor-wp/includes/js/public/eoi-public.js?ver=

HTML / DOM Fingerprints

CSS Classes

fca_eoi_form_containerfca_eoi_formfca_eoi_headlinefca_eoi_submit_buttoneoi-subscribe-form-wrapper

Data Attributes

data-fca_eoi_list_iddata-fca_eoi_thank_you_mode

JS Globals

fca_eoi_script_vars

Shortcode Output

<div class="fca_eoi_form_container"><form class="fca_eoi_form" method="post"><h2 class="fca_eoi_headline"><input type="submit" value="

FAQ