WP-Safety

Message Filter for Contact Form 7 Security & Risk Analysis

wordpress.org/plugins/cf7-message-filter

Filter messages submitted through contact form 7 based on words and/or emails listed as restricted.

1K active installs v1.6.3.8 PHP 8.0+ WP 6.6+ Updated Oct 25, 2025
contact-form-7filterspamspam-filterwpforms
96
A · Safe
CVEs total4
Unpatched0
Last CVEApr 22, 2025
Plugin page Download
Safety Verdict

Is Message Filter for Contact Form 7 Safe to Use in 2026?

Generally Safe

Score 96/100

Message Filter for Contact Form 7 has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Apr 22, 2025Updated 5mo ago
Risk Assessment

The 'cf7-message-filter' plugin v1.6.3.8 presents a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries and implementing nonce checks for a significant portion of its entry points. The absence of critical or high-severity vulnerabilities in its history and the fact that all past CVEs are patched are also encouraging signs.

However, significant concerns arise from the static analysis. The presence of one AJAX handler without any authentication checks creates a direct pathway for unauthorized access or actions. Furthermore, the taint analysis revealed two flows with unsanitized paths, indicating potential vulnerabilities related to input handling, although these did not reach critical or high severity. The relatively low percentage of properly escaped output (45%) is also a concern, suggesting a higher risk of Cross-Site Scripting (XSS) vulnerabilities.

The plugin's vulnerability history, while currently clear of unpatched issues, shows a pattern of medium-severity vulnerabilities including SQL Injection, Missing Authorization, and XSS. This historical trend, coupled with the current static analysis findings, suggests that while the developers are responsive to patching, the codebase may have recurring weaknesses in input validation and authorization enforcement.

Key Concerns

  • AJAX handler without authentication checks
  • Taint flows with unsanitized paths
  • Low percentage of properly escaped output
  • Medium severity vulnerabilities in history
Vulnerabilities
4

Message Filter for Contact Form 7 Security Vulnerabilities

CVEs by Year

3 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
4

4 total CVEs

CVE-2025-46252medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Message Filter for Contact Form 7 <= 1.6.3.2 - Authenticated (Administrator+) SQL Injection

Apr 22, 2025 Patched in 1.6.33 (9d)
CVE-2024-12026medium · 4.3Missing Authorization

Message Filter for Contact Form 7 <= 1.6.3 - Missing Authorization to Authenticated (Subscriber+) New Filter Creation

Dec 6, 2024 Patched in 1.6.3.1 (6d)
CVE-2024-12027medium · 4.3Missing Authorization

Message Filter for Contact Form 7 <= 1.6.3 - Missing Authorization to Authenticated (Subscriber+) Filter Updates/Deletions

Dec 5, 2024 Patched in 1.6.3.1 (5d)
CVE-2024-39647medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Message Filter for Contact Form 7 <= 1.6.1.1 - Reflected Cross-Site Scripting

Aug 1, 2024 Patched in 1.6.2 (7d)
Code Analysis
Analyzed Mar 16, 2026

Message Filter for Contact Form 7 Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
4 prepared
Unescaped Output
91
75 escaped
Nonce Checks
11
Capability Checks
9
File Operations
1
External Requests
1
Bundled Libraries
3

Bundled Libraries

DataTablesSelect2Freemius1.0

SQL Query Safety

100% prepared4 total queries

Output Escaping

45% escaped166 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths
<MessagesModule> (modules\messages\MessagesModule.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Message Filter for Contact Form 7 Attack Surface

Entry Points12
Unprotected1

AJAX Handlers 12

authwp_ajax_kmcfmf_dismiss_data_collection_noticemodules\data_collection\DataCollectionModule.php:323
authwp_ajax_kmcfmf_delete_filtermodules\filters\FiltersModule.php:211
authwp_ajax_kmcfmf_update_filtermodules\filters\FiltersModule.php:212
authwp_ajax_kmcfmf_save_filtermodules\filters\FiltersModule.php:213
authwp_ajax_kmcf7_download_csvmodules\messages\MessagesModule.php:689
authwp_ajax_kmcf7_messagesmodules\messages\MessagesModule.php:690
authwp_ajax_kmcf7_delete_messagemodules\messages\MessagesModule.php:691
authwp_ajax_kmcf7_delete_all_messagesmodules\messages\MessagesModule.php:692
authwp_ajax_kmcf7_resubmit_messagemodules\messages\MessagesModule.php:693
authwp_ajax_kmcf7_save_visible_columnsmodules\messages\MessagesModule.php:694
authwp_ajax_kmcf7_clear_suggested_spam_wordsmodules\settings\SettingsModule.php:560
authwp_ajax_kmcf7_get_statsmodules\statistics\StatisticsModule.php:158
WordPress Hooks 27
actionafter_uninstallcf7-message-filter.php:68
actionadmin_noticescf7-message-filter.php:101
actioninitcf7-message-filter.php:192
actionadmin_enqueue_scriptscore\KMCFMessageFilter.php:61
actionwp_enqueue_scriptscore\KMCFMessageFilter.php:62
actionadmin_noticescore\KMCFMessageFilter.php:63
filterkmcf7_requires_filtercore\requires.php:8
filterkmcf7_includes_filtermodels\includes.php:19
filterwpcf7_skip_mailmodules\contactform7\ContactForm7Module.php:381
filterwpcf7_flamingo_submit_ifmodules\contactform7\ContactForm7Module.php:387
filterwpcf7_validate_emailmodules\contactform7\ContactForm7Module.php:397
filterwpcf7_validate_email*modules\contactform7\ContactForm7Module.php:403
filterwpcf7_validate_textareamodules\contactform7\ContactForm7Module.php:411
filterwpcf7_validate_textarea*modules\contactform7\ContactForm7Module.php:417
filterwpcf7_validate_textmodules\contactform7\ContactForm7Module.php:423
filterwpcf7_validate_text*modules\contactform7\ContactForm7Module.php:429
filterkmcf7_sub_menu_pages_filtermodules\dashboard\DashboardModule.php:60
filterhttp_request_timeoutmodules\data_collection\DataCollectionModule.php:127
filterhttps_ssl_verifymodules\data_collection\DataCollectionModule.php:135
filterkmcf7_includes_filtermodules\includes.php:9
filterkmcf7_sub_menu_pages_filtermodules\messages\MessagesModule.php:682
filterkmcf7_sub_menu_pages_filtermodules\settings\SettingsModule.php:554
filterwpforms_process_initial_errorsmodules\wpforms\WpFormsModule.php:401
filterwpforms_process_initial_errorsmodules\wpforms\WpFormsModule.php:409
filterwpforms_process_initial_errorsmodules\wpforms\WpFormsModule.php:415
actionwpforms_disable_all_emailsmodules\wpforms\WpFormsModule.php:426
actionwpforms_entry_email_attsmodules\wpforms\WpFormsModule.php:432
Maintenance & Trust

Message Filter for Contact Form 7 Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedOct 25, 2025
PHP min version8.0
Downloads49K

Community Trust

Rating98/100
Number of ratings13
Active installs1K
Alternatives

Message Filter for Contact Form 7 Alternatives

Antispam Bee

Antispam Bee

antispam-bee

A
100

Sophisticated antispam plugin for effective daily comment and trackback spam-fighting. Built with data protection and privacy in mind.

700K 1 CVE
Image CAPTCHA for Contact Form 7 and WPForms by HookAndHook (DSGVO/GDPR)

Image CAPTCHA for Contact Form 7 and WPForms by HookAndHook (DSGVO/GDPR)

contact-form-7-image-captcha

A
100

Adds an Image CAPTCHA to Contact Form 7 and WPForms, GDPR ready, perfect WPForms or Contact Form 7 Spam Protection Image CAPTCHA, adds a honeypot

80K No CVEs
Stop Contact Form 7 Spam & WPForms Spam – Free Protection

Stop Contact Form 7 Spam & WPForms Spam – Free Protection

fullworks-anti-spam

A
100

Stop Contact Form 7 spam and WPForms spam instantly. Free spam protection for business sites. No CAPTCHA. No API keys. Just works.

1K No CVEs
Spam Filter For Elementor Form

Spam Filter For Elementor Form

spam-filter-for-elementor-form

A
100

A simple yet powerful plugin that adds advanced spam and content filtration to your Elementor Pro forms.

90 No CVEs
Squelch Unspam

Squelch Unspam

squelch-unspam

A
92

Unspam makes it harder for spammers to automatedly send spam to your blog by changing the names of the fields in the comment forms.

50 No CVEs
Developer Profile

Message Filter for Contact Form 7 Developer Profile

Kofi Mokome

3 plugins · 1K total installs

99
trust score
Avg Security Score
99/100
Avg Patch Time
7 days
View full developer profile
Detection Fingerprints

How We Detect Message Filter for Contact Form 7

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/cf7-message-filter/assets/css/frontend.css/wp-content/plugins/cf7-message-filter/assets/css/backend.css/wp-content/plugins/cf7-message-filter/assets/js/frontend.js/wp-content/plugins/cf7-message-filter/assets/js/backend.js
Script Paths
/wp-content/plugins/cf7-message-filter/assets/js/frontend.js/wp-content/plugins/cf7-message-filter/assets/js/backend.js
Version Parameters
cf7-message-filter/assets/css/frontend.css?ver=cf7-message-filter/assets/css/backend.css?ver=cf7-message-filter/assets/js/frontend.js?ver=cf7-message-filter/assets/js/backend.js?ver=

HTML / DOM Fingerprints

CSS Classes
kmcfmf-spam-message
HTML Comments
TODO: PLUGIN BIRTHDAY IS ON THE 30TH AUGUST 2018TODO: for future use
JS Globals
kmcf7ms_fs
FAQ

Frequently Asked Questions about Message Filter for Contact Form 7