WP-Safety

CF7 Shortcode Finder Security & Risk Analysis

wordpress.org/plugins/cf7-shortcode-finder

This plugin is compatible with Contact form 7 and it will help you to locate which form is placed on which page. This will be helpful in tracking down …

40 active installs v1.0.0 PHP + WP + Updated Nov 29, 2024
cf7cf7-findercf7-shortcodecf7-shortcode-findershortcode-finder
92
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is CF7 Shortcode Finder Safe to Use in 2026?

Generally Safe

Score 92/100

CF7 Shortcode Finder has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago
Risk Assessment

The "cf7-shortcode-finder" v1.0.0 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries and has no recorded vulnerabilities or CVEs, suggesting a history of secure development. The attack surface is minimal, with only one shortcode and no AJAX handlers, REST API routes, or cron events.

However, significant concerns arise from the code analysis. The most critical finding is that 100% of its seven output operations are not properly escaped. This presents a substantial Cross-Site Scripting (XSS) risk, as user-supplied data rendered by the plugin could be injected with malicious scripts. Additionally, the complete absence of nonce checks and capability checks on its entry points, even though they are not directly exposed via AJAX or REST API, is a notable omission that could be exploited if the attack surface expands or if the shortcode itself handles user input without proper validation.

Given the lack of historical vulnerabilities, it's possible these issues have not been exploited yet. However, the unescaped output and missing security checks represent clear weaknesses that should be addressed to improve the plugin's overall security.

Key Concerns

  • Outputs not properly escaped
  • No nonce checks on entry points
  • No capability checks on entry points
Vulnerabilities
None known

CF7 Shortcode Finder Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

CF7 Shortcode Finder Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
7
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared2 total queries

Output Escaping

0% escaped7 total outputs
Attack Surface

CF7 Shortcode Finder Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[wpdocs_shortcode_pages_callback] admin\class-contact-form-shortcode-finder-admin.php:55
WordPress Hooks 6
actionadmin_menuadmin\class-contact-form-shortcode-finder-admin.php:54
actionplugins_loadedincludes\class-contact-form-shortcode-finder.php:142
actionadmin_enqueue_scriptsincludes\class-contact-form-shortcode-finder.php:157
actionadmin_enqueue_scriptsincludes\class-contact-form-shortcode-finder.php:158
actionwp_enqueue_scriptsincludes\class-contact-form-shortcode-finder.php:173
actionwp_enqueue_scriptsincludes\class-contact-form-shortcode-finder.php:174
Maintenance & Trust

CF7 Shortcode Finder Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedNov 29, 2024
PHP min version
Downloads2K

Community Trust

Rating0/100
Number of ratings0
Active installs40
Alternatives

CF7 Shortcode Finder Alternatives

Database Addon for Contact Form 7 – CFDB7

Database Addon for Contact Form 7 – CFDB7

contact-form-cfdb7

A
90

Save and manage Contact Form 7 messages. Never lose important data. It is a lightweight contact form 7 database plugin.

600K 7 CVEs
CF7 Apps – Honeypot, Database, Redirection, Webhook, and Addons for Contact Form 7

CF7 Apps – Honeypot, Database, Redirection, Webhook, and Addons for Contact Form 7

contact-form-7-honeypot

A
100

Addons for Contact Form 7 — Honeypot, Database Entries, Redirection, Spam Protection, Webhooks, ACF integration for Contact Form 7, and more.

300K No CVEs
Redirection for Contact Form 7

Redirection for Contact Form 7

wpcf7-redirect

A
88

Redirect to any page or URL, execute scripts after submission, save data to the database, and unlock additional submission actions for Contact Form 7.

200K 14 CVEs
Advanced Contact form 7 DB

Advanced Contact form 7 DB

advanced-cf7-db

B
83

Save all contact form 7 form submitted data to the database, View, Ordering, Change field labels and Import/Export data using CSV.

70K 6 CVEs
Connect Contact Form 7 and Mailchimp

Connect Contact Form 7 and Mailchimp

contact-form-7-mailchimp-extension

A
96

Connect Contact Form 7 to Mailchimp. Automatically sync form submissions to your Mailchimp audiences with merge field mapping, double opt-in, and opt- …

50K 3 CVEs
Developer Profile

CF7 Shortcode Finder Developer Profile

HK

3 plugins · 230 total installs

88
trust score
Avg Security Score
92/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect CF7 Shortcode Finder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/cf7-shortcode-finder/admin/js/shortcode-finder-admin.js/wp-content/plugins/cf7-shortcode-finder/admin/css/shortcode-finder-admin.css
Script Paths
/wp-content/plugins/cf7-shortcode-finder/admin/js/shortcode-finder-admin.js
Version Parameters
cf7-shortcode-finder/admin/js/shortcode-finder-admin.js?ver=cf7-shortcode-finder/admin/css/shortcode-finder-admin.css?ver=

HTML / DOM Fingerprints

CSS Classes
main-wrap-shcodeheadingres-main-wraptoshortcode-page-link
Data Attributes
data-form-titledata-form-id
Shortcode Output
[contact-form-7 id="[contact-form-7 id="
FAQ

Frequently Asked Questions about CF7 Shortcode Finder