Does Business Essentials for Contact Form 7 have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Business Essentials for Contact Form 7 compatible with WordPress 6.9.4?

According to WordPress.org data, Business Essentials for Contact Form 7 1.2.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Business Essentials for Contact Form 7 compatible with PHP 5.6+?

Business Essentials for Contact Form 7 requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Business Essentials for Contact Form 7 updated?

Business Essentials for Contact Form 7 was last updated on Jan 12, 2026. Frequent updates are generally a positive security signal.

What is Business Essentials for Contact Form 7's security score?

Business Essentials for Contact Form 7 has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Business Essentials for Contact Form 7: 3 Patched CVEs

Safety Verdict

Is Business Essentials for Contact Form 7 Safe to Use in 2026?

Generally Safe

Score 98/100

Business Essentials for Contact Form 7 has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

3 known CVEsLast CVE: Jan 14, 2025Updated 4mo ago

Risk Assessment

The "cf7-redirect-thank-you-page" plugin version 1.2.1 presents a mixed security posture. While it demonstrates good practices like a high percentage of properly escaped output and the use of prepared statements for most SQL queries, there are significant concerns regarding its attack surface and input handling. The presence of two REST API routes without permission callbacks is a critical oversight, creating an easily exploitable entry point. Furthermore, the taint analysis revealing one high-severity flow with unsanitized paths indicates a potential for vulnerabilities if user input is not handled with extreme care. The plugin's history of three medium-severity CVEs, specifically Cross-Site Scripting and Cross-Site Request Forgery, suggests a pattern of input validation weaknesses. Although no unpatched vulnerabilities are currently listed, this history combined with the identified code signals warrants caution. The plugin's strengths lie in its internal code hygiene for SQL and output, but its external-facing interfaces and potential for unsanitized flows are notable weaknesses.

Key Concerns

REST API routes without permission callbacks
High severity taint flow with unsanitized paths
Three medium severity CVEs in vulnerability history
13 flows with unsanitized paths

Vulnerabilities

3 published

Business Essentials for Contact Form 7 Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

1 CVE in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

3

3 total CVEs

CVE-2024-12423medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form 7 Redirect & Thank You Page <= 1.0.7 - Reflected Cross-Site Scripting

Jan 14, 2025 Patched in 1.0.8 (1d)

CVE-2024-10685medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form 7 Redirect & Thank You Page <= 1.0.6 - Reflected Cross-Site Scripting

Nov 11, 2024 Patched in 1.0.7 (1d)

CVE-2023-24395medium · 4.3Cross-Site Request Forgery (CSRF)

Contact Form 7 Redirect & Thank You Page <= 1.0.3 - Cross-Site Request Forgery via cf7rl_admin_table

Mar 15, 2023 Patched in 1.0.4 (314d)

Version History

Business Essentials for Contact Form 7 Release Timeline

v1.2.1Current

v1.2

v1.1

v1.0.9

v1.0.8

v1.0.71 CVE

CVE-2024-12423

v1.0.62 CVEs

CVE-2024-12423 CVE-2024-10685

v1.0.52 CVEs

CVE-2024-12423 CVE-2024-10685

v1.0.42 CVEs

CVE-2024-12423 CVE-2024-10685

v1.0.33 CVEs

CVE-2023-24395 CVE-2024-12423 CVE-2024-10685

v1.0.23 CVEs

CVE-2023-24395 CVE-2024-12423 CVE-2024-10685

v1.0.13 CVEs

CVE-2023-24395 CVE-2024-12423 CVE-2024-10685

v1.03 CVEs

CVE-2023-24395 CVE-2024-12423 CVE-2024-10685

Code Analysis

Analyzed Mar 16, 2026

Business Essentials for Contact Form 7 Code Analysis

Dangerous Functions

0

Raw SQL Queries

11

16 prepared

Unescaped Output

57

325 escaped

Nonce Checks

15

Capability Checks

8

File Operations

3

External Requests

12

Bundled Libraries

0

SQL Query Safety

59% prepared27 total queries

Output Escaping

85% escaped382 total outputs

Data Flows · Security

13 unsanitized

Data Flow Analysis

20 flows13 with unsanitized paths

cf7rl_admin_after_additional_settings (includes\admin\tabs_page.php:26)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

Business Essentials for Contact Form 7 Attack Surface

Entry Points15

Unprotected2

AJAX Handlers 13

authwp_ajax_cf7rl_dismiss_review_noticeincludes\functions.php:108

authwp_ajax_cf7rl_get_disabled_datesincludes\modules\bookings\enqueue.php:135

noprivwp_ajax_cf7rl_get_disabled_datesincludes\modules\bookings\enqueue.php:136

authwp_ajax_cf7rl_get_time_slotsincludes\modules\bookings\enqueue.php:197

noprivwp_ajax_cf7rl_get_time_slotsincludes\modules\bookings\enqueue.php:198

authwp_ajax_cf7rl-ppcp-onboarding-startincludes\modules\payments\ppcp.php:51

authwp_ajax_cf7rl-ppcp-disconnectincludes\modules\payments\ppcp.php:116

authwp_ajax_cf7rl_get_form_stripe_successincludes\modules\payments\redirect_methods.php:116

noprivwp_ajax_cf7rl_get_form_stripe_successincludes\modules\payments\redirect_methods.php:117

authwp_ajax_cf7rl_get_form_postincludes\modules\payments\redirect_methods.php:256

noprivwp_ajax_cf7rl_get_form_postincludes\modules\payments\redirect_methods.php:257

authwp_ajax_cf7rl_get_form_thankincludes\redirect_methods.php:66

noprivwp_ajax_cf7rl_get_form_thankincludes\redirect_methods.php:67

REST API Routes 2

GET/wp-json/cf7rl/v1/cf7rl_get_form_postincludes\modules\payments\enqueue.php:41

GET/wp-json/cf7rl/v1/cf7rl_get_form_stripe_successincludes\modules\payments\enqueue.php:48

WordPress Hooks 93

actioninitcf7-redirect.php:203

actionadmin_noticescf7-redirect.php:314

actionadmin_enqueue_scriptscf7-redirect.php:352

actioncf7rl_daily_scheduled_eventsincludes\admin\extensions.php:92

actionadmin_menuincludes\admin\menu_links.php:7

actionadmin_menuincludes\admin\menu_links.php:19

filterplugin_action_linksincludes\admin\menu_links.php:25

filtercf7rl_available_modulesincludes\admin\modules-example.php:12

actionwpcf7_before_send_mailincludes\admin\modules-example.php:38

actionplugins_loadedincludes\admin\modules-example.php:42

filtercf7rl_available_modulesincludes\admin\modules-example.php:46

filterwpcf7_editor_panelsincludes\admin\tabs_page.php:23

actionwpcf7_after_saveincludes\admin\tabs_page.php:130

actionadmin_enqueue_scriptsincludes\enqueue.php:18

actionwp_enqueue_scriptsincludes\enqueue.php:40

actionadmin_noticesincludes\functions.php:13

actionadmin_noticesincludes\functions.php:67

actionadmin_initincludes\functions.php:91

actionwpcf7_initincludes\modules\bookings\admin_functions.php:8

actionwpcf7_admin_initincludes\modules\bookings\admin_functions.php:114

filterwpcf7_validate_bookingdateincludes\modules\bookings\admin_functions.php:213

filterwpcf7_validate_bookingdate*includes\modules\bookings\admin_functions.php:214

filterwpcf7_validate_bookingtimeincludes\modules\bookings\admin_functions.php:238

filterwpcf7_validate_bookingtime*includes\modules\bookings\admin_functions.php:239

actionwpcf7_before_send_mailincludes\modules\bookings\admin_functions.php:254

filterwpcf7_editor_panelsincludes\modules\bookings\booking_admin_tab.php:8

actionwpcf7_after_saveincludes\modules\bookings\booking_admin_tab.php:179

actionwp_enqueue_scriptsincludes\modules\bookings\enqueue.php:43

actionadmin_enqueue_scriptsincludes\modules\bookings\enqueue.php:105

actionwpcf7_initincludes\modules\country_phone\admin_functions.php:8

actionwpcf7_admin_initincludes\modules\country_phone\admin_functions.php:221

filterwpcf7_validate_countryselectincludes\modules\country_phone\admin_functions.php:326

filterwpcf7_validate_countryselect*includes\modules\country_phone\admin_functions.php:327

filterwpcf7_validate_teltextincludes\modules\country_phone\admin_functions.php:342

filterwpcf7_validate_teltext*includes\modules\country_phone\admin_functions.php:343

filterwpcf7_posted_dataincludes\modules\country_phone\country_phone_functions.php:367

actionwp_enqueue_scriptsincludes\modules\country_phone\enqueue.php:8

actionadmin_enqueue_scriptsincludes\modules\country_phone\enqueue.php:65

actionadmin_initincludes\modules\database_submissions\admin_page.php:240

filterset-screen-optionincludes\modules\database_submissions\admin_page.php:251

actionadmin_initincludes\modules\database_submissions\database_functions.php:45

actionwpcf7_before_send_mailincludes\modules\database_submissions\database_functions.php:90

filterwpcf7_editor_panelsincludes\modules\material_theme\admin_functions.php:19

actionwpcf7_after_saveincludes\modules\material_theme\admin_functions.php:133

actionwp_enqueue_scriptsincludes\modules\material_theme\enqueue.php:70

actionadmin_enqueue_scriptsincludes\modules\material_theme\enqueue.php:93

filterwpcf7_form_class_attrincludes\modules\material_theme\material_theme_functions.php:57

actionwp_enqueue_scriptsincludes\modules\material_theme\material_theme_functions.php:153

filterwpcf7_form_additional_attsincludes\modules\material_theme\material_theme_functions.php:199

actioninitincludes\modules\payments\cpt.php:8

actionedit_form_after_titleincludes\modules\payments\cpt.php:42

actionadmin_menuincludes\modules\payments\cpt.php:57

filterpost_row_actionsincludes\modules\payments\cpt.php:169

actioninitincludes\modules\payments\cpt.php:218

actionadmin_footer-edit.phpincludes\modules\payments\cpt.php:251

filtermanage_cf7rl_payments_posts_columnsincludes\modules\payments\cpt.php:275

actionmanage_cf7rl_payments_posts_custom_columnincludes\modules\payments\cpt.php:294

filterpost_date_column_statusincludes\modules\payments\cpt.php:326

filterpost_date_column_timeincludes\modules\payments\cpt.php:337

actionrestrict_manage_postsincludes\modules\payments\cpt.php:348

actionparse_queryincludes\modules\payments\cpt.php:391

filterwp_untrash_post_statusincludes\modules\payments\cpt.php:424

filterviews_edit-cf7rl_paymentsincludes\modules\payments\cpt.php:437

actionwpincludes\modules\payments\cronjob.php:8

actioncf7rl_payment_check_statusincludes\modules\payments\cronjob.php:19

actionadmin_enqueue_scriptsincludes\modules\payments\enqueue.php:21

actionrest_api_initincludes\modules\payments\enqueue.php:39

actionwp_enqueue_scriptsincludes\modules\payments\enqueue.php:81

actionadmin_headincludes\modules\payments\functions.php:168

actionadmin_noticesincludes\modules\payments\functions.php:189

filterwpcf7_load_jsincludes\modules\payments\payment_functions.php:136

actioninitincludes\modules\payments\payment_functions.php:139

actioninitincludes\modules\payments\payment_functions.php:157

actiontemplate_redirectincludes\modules\payments\paypal_handler.php:10

actionrest_api_initincludes\modules\payments\paypal_handler.php:49

actionwpincludes\modules\payments\ppcp_frontend.php:64

filterwpcf7_form_elementsincludes\modules\payments\ppcp_frontend.php:108

actiontemplate_redirectincludes\modules\payments\redirect_methods.php:47

actionwpcf7_before_send_mailincludes\modules\payments\redirect_methods.php:156

actionplugins_loadedincludes\modules\payments\stripe-connect.php:131

actionplugins_loadedincludes\modules\payments\stripe-connect.php:187

actionwpcf7_before_send_mailincludes\modules\payments\stripe_handler.php:9

actionrest_api_initincludes\modules\payments\stripe_handler.php:136

actionplugins_loadedincludes\modules\payments\stripe_handler.php:224

filterwpcf7_editor_panelsincludes\modules\payments\tabs_page.php:21

actionwpcf7_after_saveincludes\modules\payments\tabs_page.php:102

filterwpcf7_editor_panelsincludes\modules\recaptcha\admin_functions.php:18

actionwpcf7_after_saveincludes\modules\recaptcha\admin_functions.php:95

actionwp_enqueue_scriptsincludes\modules\recaptcha\enqueue.php:60

filterwpcf7_spamincludes\modules\recaptcha\recaptcha_functions.php:114

filterwpcf7_display_messageincludes\modules\recaptcha\recaptcha_functions.php:158

filterwpcf7_form_elementsincludes\modules\recaptcha\recaptcha_functions.php:242

actionwp_footerincludes\modules\recaptcha\recaptcha_functions.php:249

Scheduled Events 1

cf7rl_payment_check_status

Maintenance & Trust

Business Essentials for Contact Form 7 Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 12, 2026

PHP min version5.6

Downloads77K

Community Trust

Rating66/100

Number of ratings10

Active installs8K

Alternatives

Business Essentials for Contact Form 7 Alternatives

Database Addon for Contact Form 7 – CFDB7

contact-form-cfdb7

A

90

Save and manage Contact Form 7 messages. Never lose important data. It is a lightweight contact form 7 database plugin.

600K 7 CVEs

ReCaptcha v2 for Contact Form 7

wpcf7-recaptcha

A

92

Adds reCaptcha v2 from Contact Form 7 5.0.5 that was dropped on Contact Form 7 5.1

200K No CVEs

Contact Form 7 Captcha

contact-form-7-simple-recaptcha

A

99

Protect your Contact Form 7 forms with Google reCAPTCHA V2, Google reCAPTCHA V3, hCAPTCHA, or Cloudflare Turnstile.

100K 2 CVEs

Invisible reCaptcha for WordPress

invisible-recaptcha

A

85

Invisible reCaptcha for WordPress plugin helps you to protect your sites against bad spam bots using the new Invisible reCaptcha by Google.

90K No CVEs

Advanced Contact form 7 DB

advanced-cf7-db

B

83

Save all contact form 7 form submitted data to the database, View, Ordering, Change field labels and Import/Export data using CSV.

70K 8 CVEs

Developer Profile

Business Essentials for Contact Form 7 Developer Profile

Scott Paterson

12 plugins · 44K total installs

76

trust score

Avg Security Score

96/100

Avg Patch Time

267 days

View full developer profile

Detection Fingerprints

How We Detect Business Essentials for Contact Form 7

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/cf7-redirect-thank-you-page/includes/enqueue.php

Script Paths

/wp-content/plugins/cf7-redirect-thank-you-page/includes/enqueue.php/wp-content/plugins/cf7-redirect-thank-you-page/includes/modules/recaptcha/enqueue.php/wp-content/plugins/cf7-redirect-thank-you-page/includes/modules/country_phone/enqueue.php

HTML / DOM Fingerprints

Data Attributes

cf7rl_redirect_enable_cf7rl_redirect_enable

FAQ

Business Essentials for Contact Form 7 Security & Risk Analysis

Is Business Essentials for Contact Form 7 Safe to Use in 2026?

Generally Safe

Key Concerns

Business Essentials for Contact Form 7 Security Vulnerabilities

CVEs by Year

Severity Breakdown

Business Essentials for Contact Form 7 Release Timeline

Business Essentials for Contact Form 7 Code Analysis

SQL Query Safety

Output Escaping

Data Flow Analysis

Business Essentials for Contact Form 7 Attack Surface

AJAX Handlers 13

REST API Routes 2

Scheduled Events 1

Business Essentials for Contact Form 7 Maintenance & Trust

Maintenance Signals

Community Trust

Business Essentials for Contact Form 7 Alternatives

Database Addon for Contact Form 7 – CFDB7

ReCaptcha v2 for Contact Form 7

Contact Form 7 Captcha

Invisible reCaptcha for WordPress

Advanced Contact form 7 DB

Business Essentials for Contact Form 7 Developer Profile

How We Detect Business Essentials for Contact Form 7

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Business Essentials for Contact Form 7