CF7 Spreadsheets Security & Risk Analysis
wordpress.org/plugins/cf7-spreadsheetsWordpress plugin that merge Contact form 7 functional with google spreadsheets (also works with private spreadsheet).
Is CF7 Spreadsheets Safe to Use in 2026?
High Risk
Score 30/100CF7 Spreadsheets carries significant security risk with 3 known CVEs, 3 still unpatched. Consider switching to a maintained alternative.
The 'cf7-spreadsheets' plugin v2.3.2 exhibits a concerning security posture, primarily due to a significant number of unprotected entry points and a history of known vulnerabilities. The static analysis reveals four AJAX handlers that lack any authorization checks, creating a broad attack surface where unauthenticated users could potentially trigger plugin functionality. While the code doesn't appear to use dangerous functions or raw SQL queries, the low percentage of properly escaped output (15%) is a major red flag, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities. Taint analysis, while limited in scope, did identify flows with unsanitized paths, further supporting the XSS concern. The vulnerability history is particularly alarming, with three medium-severity CVEs currently unpatched, and the last one being recent. This pattern of missing authorization and XSS vulnerabilities, coupled with unpatched security flaws, suggests a recurring lack of robust security practices in the plugin's development and maintenance.
Key Concerns
- 4 unprotected AJAX handlers
- 3 unpatched CVEs
- Low output escaping (15%)
- Flows with unsanitized paths
- No nonce checks
- No capability checks
CF7 Spreadsheets Security Vulnerabilities
CVEs by Year
Severity Breakdown
3 total CVEs
CF7 Spreadsheets <= 2.3.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting
CF7 Spreadsheets <= 2.3.2 - Reflected Cross-Site Scripting
CF7 Spreadsheets <= 2.3.2 - Missing Authorization to Settings Update
CF7 Spreadsheets Code Analysis
Bundled Libraries
Output Escaping
Data Flow Analysis
CF7 Spreadsheets Attack Surface
AJAX Handlers 4
WordPress Hooks 6
Maintenance & Trust
CF7 Spreadsheets Maintenance & Trust
Maintenance Signals
Community Trust
CF7 Spreadsheets Alternatives
LiveSheets: Google Sheets | Data table | Spreadsheets
livesheets
Transform google spreadsheets, google sheets into stunning data tables.
FlexTable – Data Table Sync with Google Sheets
sheets-to-wp-table-live-sync
Turn Google Sheets into live WordPress tables. Embed, sync, and customize data instantly with search, filters, and styling - no coding needed.
WPSyncSheets For Contact Form 7 – CF7 Google Sheets Connector & Save to Database
contactsheets-lite
Connect Contact Form 7 submissions to Google Sheets to sync your form entries and save all cf7 forms submitted data to the database.
Formentor – Elementor Form Plus
formentor-elementor-form-plus
Send forms directly to Google Sheets, an elementor plugin
Stylish Google Sheet Reader – Embed Google Sheets as Interactive Tables with Built-in Form Submissions
stylish-google-sheet-reader
Effortlessly create responsive, searchable, auto-refreshable data tables — now with built-in form submissions to receive orders or inquiries directly.
CF7 Spreadsheets Developer Profile
1 plugin · 400 total installs
How We Detect CF7 Spreadsheets
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/cf7-spreadsheets/css/style.css/wp-content/plugins/cf7-spreadsheets/js/script.js/wp-content/plugins/cf7-spreadsheets/js/script.jscf7-spreadsheets/css/style.css?ver=cf7-spreadsheets/js/script.js?ver=HTML / DOM Fingerprints
CF7spreadsheets_option_urlCF7spreadsheets_option_idCF7spreadsheets_option_enabledCF7spreadsheets_option_mailCF7spreadsheets_output_tagsCF7spreadsheets_output_types