Does Multi Step for Contact Form 7 have any unpatched vulnerabilities?

No. All known vulnerabilities in Multi Step for Contact Form 7 have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Multi Step for Contact Form 7 compatible with WordPress 6.8.5?

According to WordPress.org data, Multi Step for Contact Form 7 2.7.9 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

How often is Multi Step for Contact Form 7 updated?

Multi Step for Contact Form 7 was last updated on Oct 15, 2025. Frequent updates are generally a positive security signal.

What is Multi Step for Contact Form 7's security score?

Multi Step for Contact Form 7 has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Multi Step for Contact Form 7 Security & Risk Analysis

wordpress.org/plugins/cf7-multi-step

Break your looooooong form into user-friendly steps

10K active installs v2.7.9 PHP + WP 3.0+ Updated Oct 15, 2025

cf7formsmulti-stepmulti-step-formmultistep

A · Safe

CVEs total1

Unpatched0

Last CVESep 26, 2024

Plugin page Download

Safety Verdict

Is Multi Step for Contact Form 7 Safe to Use in 2026?

Generally Safe

Score 98/100

Multi Step for Contact Form 7 has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Sep 26, 2024Updated 5mo ago

Risk Assessment

The cf7-multi-step plugin v2.7.9 presents a moderate security risk. While it demonstrates some good security practices, such as a majority of SQL queries using prepared statements and the presence of nonce and capability checks, there are significant concerns. The plugin has a small but unprotected attack surface, with two entry points (AJAX and REST API routes) lacking proper authentication or permission checks. Furthermore, a notable portion of output escaping is not properly handled, potentially leading to cross-site scripting vulnerabilities. The plugin's vulnerability history reveals a past high-severity SQL injection vulnerability, and though it's currently patched, this pattern indicates a potential for recurring issues if development practices are not robust. The lack of taint analysis data is a weakness, as it prevents a deeper understanding of data flow vulnerabilities. Overall, while the plugin has some strengths, the unprotected entry points and historical vulnerability suggest a need for increased security scrutiny and development diligence.

Key Concerns

Unprotected AJAX handler
Unprotected REST API route
Low percentage of properly escaped output
Past high-severity SQL injection vulnerability

Vulnerabilities

Multi Step for Contact Form 7 Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

High

1 total CVE

CVE-2024-47331high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Multi Step for Contact Form <= 2.7.7 - Unauthenticated SQL Injection

Sep 26, 2024 Patched in 2.7.8 (8d)

Code Analysis

Analyzed Mar 16, 2026

Multi Step for Contact Form 7 Code Analysis

Dangerous Functions

Raw SQL Queries

4 prepared

Unescaped Output

28 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

80% prepared5 total queries

Output Escaping

42% escaped66 total outputs

Attack Surface

2 unprotected

Multi Step for Contact Form 7 Attack Surface

Entry Points2

Unprotected2

AJAX Handlers 1

authwp_ajax_cf7mls_save_reviewinc\admin\review.php:10

REST API Routes 1

GET/wp-json/cf7mls/v1cf7mls_validationinc\frontend\validation.php:20

WordPress Hooks 24

actionadmin_initcf7-multi-step.php:19

actionplugins_loadedcf7-multi-step.php:78

actionadmin_enqueue_scriptsinc\admin\dashboard-widget.php:10

actionwp_dashboard_setupinc\admin\dashboard-widget.php:11

filterplugin_row_metainc\admin\init.php:18

filterwpcf7_editor_panelsinc\admin\init.php:30

actionadmin_enqueue_scriptsinc\admin\init.php:64

actionadmin_noticesinc\admin\review.php:14

filterwpcf7_editor_panelsinc\admin\settings.php:5

filterwpcf7_pre_construct_contact_form_propertiesinc\admin\settings.php:325

filterwpcf7_contact_form_propertiesinc\admin\settings.php:350

actionwpcf7_save_contact_forminc\admin\settings.php:425

filtercf7d_no_save_fieldsinc\cf7db.php:10

actioncf7d_after_insert_dbinc\cf7db.php:23

filtercf7d_posted_datainc\cf7db.php:50

actionadmin_noticesinc\Fallback.php:4

filterperfmatters_rest_api_exceptionsinc\frontend\init.php:6

actionwpcf7_enqueue_scriptsinc\frontend\init.php:14

actionwpcf7_enqueue_stylesinc\frontend\init.php:16

actionwpcf7_initinc\frontend\init.php:77

filterwpcf7_form_elementsinc\frontend\init.php:138

filterwpcf7_form_class_attrinc\frontend\init.php:168

actionrest_api_initinc\frontend\validation.php:12

actionplugins_loadedinc\I18n.php:10

Maintenance & Trust

Multi Step for Contact Form 7 Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedOct 15, 2025

PHP min version

Downloads225K

Community Trust

Rating96/100

Number of ratings75

Active installs10K

Alternatives

Multi Step for Contact Form 7 Alternatives

Smart Grid-Layout Design for Contact Form 7

cf7-grid-layout

This plugins allow pure CSS responsive grid layouts for contact form 7. It enables rich interlinking of your CMS data via taxonomy/posts populated dr …

10K No CVEs