WP-Safety

CF7 WOW Styler – Visual Styler for Contact Form 7 Forms Security & Risk Analysis

wordpress.org/plugins/cf7-styler

Save time by styling Contact Form 7 once and applying the same design to multiple forms – CF7 WOW Styler keeps them on brand with visual controls and …

3K active installs v1.7.5 PHP 7.0+ WP 5.0+ Updated Feb 24, 2026
cf7contact-form-7contact-form-7-stylecontactform7form-styler
71
B · Generally Safe
CVEs total4
Unpatched1
Last CVEAug 7, 2025
Plugin page Download
Safety Verdict

Is CF7 WOW Styler – Visual Styler for Contact Form 7 Forms Safe to Use in 2026?

Mostly Safe

Score 71/100

CF7 WOW Styler – Visual Styler for Contact Form 7 Forms is generally safe to use. 4 past CVEs were resolved. Keep it updated.

4 known CVEs 1 unpatched Last CVE: Aug 7, 2025Updated 1mo ago
Risk Assessment

The "cf7-styler" plugin v1.7.5 presents a significant security risk due to a large number of unprotected AJAX handlers, indicating a broad attack surface with insufficient access controls. While the static analysis shows good practices in SQL query handling and a relatively low number of external HTTP requests, the stark contrast between the total entry points and those without authentication checks is a major red flag. The taint analysis, though reporting no critical or high severity flows, did identify unsanitized paths, which in conjunction with the lack of authorization on AJAX handlers, could lead to serious vulnerabilities if not properly addressed.

The vulnerability history is concerning, with a total of 4 known CVEs, including one high-severity unpatched vulnerability. The common types of past vulnerabilities (PHP Remote File Inclusion, Code Injection, XSS, Missing Authorization) strongly suggest recurring weaknesses in input sanitization and access control mechanisms. The presence of an unpatched high-severity vulnerability from August 2025 is particularly alarming and requires immediate attention. Although the plugin employs nonce checks and some capability checks, their application is not comprehensive enough to mitigate the risks posed by the unprotected entry points.

In conclusion, while "cf7-styler" demonstrates some positive security attributes like prepared SQL statements, its overall security posture is weak. The high number of unprotected AJAX endpoints, combined with a history of critical vulnerability types and an unpatched high-severity flaw, makes it a high-risk plugin. Users should exercise extreme caution or consider alternative solutions until these critical issues are resolved.

Key Concerns

  • Unprotected AJAX handlers
  • Unpatched high severity CVE
  • History of common vulnerability types
  • Unsanitized paths in taint analysis
  • Low percentage of properly escaped output
  • Bundled outdated Freemius library
Vulnerabilities
4

CF7 WOW Styler – Visual Styler for Contact Form 7 Forms Security Vulnerabilities

CVEs by Year

2 CVEs in 2024
2024
2 CVEs in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
3

4 total CVEs

CVE-2025-54028high · 8.1Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

CF7 WOW Styler <= 1.7.2 - Unauthenticated Local File Inclusion

Aug 7, 2025 Patched in 1.7.3 (5d)
CVE-2024-12419medium · 6.5Improper Control of Generation of Code ('Code Injection')

Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler <= 1.7.1 - Unauthenticated Arbitrary Shortcode Execution and Reflected Cross-Site Scripting

Jan 6, 2025Unpatched
CVE-2024-51689medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CF7 WOW Styler <= 1.6.8 - Reflected Cross-Site Scripting

Nov 4, 2024 Patched in 1.6.9 (17d)
CVE-2024-34826medium · 5.4Missing Authorization

Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler <= 1.6.4 - Missing Authorization via Several AJAX Action

May 9, 2024 Patched in 1.6.5 (7d)
Code Analysis
Analyzed Mar 16, 2026

CF7 WOW Styler – Visual Styler for Contact Form 7 Forms Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
190
42 escaped
Nonce Checks
8
Capability Checks
3
File Operations
0
External Requests
1
Bundled Libraries
1

Bundled Libraries

Freemius1.0

SQL Query Safety

100% prepared2 total queries

Output Escaping

18% escaped232 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

6 flows4 with unsanitized paths
change_form_preview (admin\class-cf7-customizer-admin-ajax.php:491)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
16 unprotected

CF7 WOW Styler – Visual Styler for Contact Form 7 Forms Attack Surface

Entry Points16
Unprotected16

AJAX Handlers 16

authwp_ajax_cf7cstmzr_save_form_customizer_settingsincludes\class-cf7-customizer.php:179
authwp_ajax_cf7cstmzr_new_form_customizer_settingsincludes\class-cf7-customizer.php:180
authwp_ajax_cf7cstmzr_delete_form_customizer_settingsincludes\class-cf7-customizer.php:181
authwp_ajax_cf7cstmzr_enable_globallyincludes\class-cf7-customizer.php:182
authwp_ajax_cf7cstmzr_disable_globallyincludes\class-cf7-customizer.php:183
authwp_ajax_cf7cstmzr_enable_for_formincludes\class-cf7-customizer.php:184
authwp_ajax_cf7cstmzr_disable_for_formincludes\class-cf7-customizer.php:185
authwp_ajax_cf7cstmzr_change_form_previewincludes\class-cf7-customizer.php:186
authwp_ajax_cf7cstmzr_preview_form_customizer_settingsincludes\class-cf7-customizer.php:187
authwp_ajax_cf7cstmzr_load_body_tagincludes\class-cf7-customizer.php:188
authwp_ajax_cf7cstmzr_cache_formincludes\class-cf7-customizer.php:189
noprivwp_ajax_cf7cstmzr_cache_formincludes\class-cf7-customizer.php:190
authwp_ajax_cf7cstmzr_install_pluginincludes\class-cf7-customizer.php:191
authwp_ajax_cf7cstmzr_close_welcomeincludes\class-cf7-customizer.php:192
authwp_ajax_cf7cstmzr_frontend_saveincludes\class-cf7-customizer.php:215
noprivwp_ajax_cf7cstmzr_frontend_saveincludes\class-cf7-customizer.php:216
WordPress Hooks 19
actionadmin_noticescf7-styler.php:154
actionadmin_noticescf7-styler.php:158
filterplugin_localeincludes\class-cf7-customizer-i18n.php:37
actionplugins_loadedincludes\class-cf7-customizer.php:151
actionadmin_enqueue_scriptsincludes\class-cf7-customizer.php:167
actionadmin_enqueue_scriptsincludes\class-cf7-customizer.php:168
actionadmin_menuincludes\class-cf7-customizer.php:169
actionadmin_menuincludes\class-cf7-customizer.php:170
actioninitincludes\class-cf7-customizer.php:171
actioninitincludes\class-cf7-customizer.php:172
actioninitincludes\class-cf7-customizer.php:173
actiontemplate_redirectincludes\class-cf7-customizer.php:174
filtershow_admin_barincludes\class-cf7-customizer.php:176
filteradmin_body_classincludes\class-cf7-customizer.php:177
filterwpcf7_editor_panelsincludes\class-cf7-customizer.php:194
actionsave_post_wpcf7_contact_formincludes\class-cf7-customizer.php:195
actionwp_enqueue_scriptsincludes\class-cf7-customizer.php:210
actionwp_enqueue_scriptsincludes\class-cf7-customizer.php:211
filterdo_shortcode_tagincludes\class-cf7-customizer.php:213
Maintenance & Trust

CF7 WOW Styler – Visual Styler for Contact Form 7 Forms Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 24, 2026
PHP min version7.0
Downloads162K

Community Trust

Rating74/100
Number of ratings15
Active installs3K
Alternatives

CF7 WOW Styler – Visual Styler for Contact Form 7 Forms Alternatives

Innozilla Skins for Contact Form 7

Innozilla Skins for Contact Form 7

cf7-skins-innozilla

A
100

Auto style Contact Form 7 forms with straightforward dashboard. ( Contact Form 7 Style )

2K No CVEs
Style Contact Form 7

Style Contact Form 7

customizer-block-cf7

A
100

This Contact Form 7 compatible Gutenberg Block automates CSS style generation allowing you to quickly design visually appealing contact forms.

1K No CVEs
ActiveTrail – Contact Form 7

ActiveTrail – Contact Form 7

activetrail-contact-form-7

A
92

The official ActiveTrail Email Marketing Integration for Contact Form 7

600 No CVEs
CF7 Required custom field

CF7 Required custom field

cf7-required-custom-field

A
85

CF7 Required custom field - a plugin in which you customized your message for the required field for CF7.

100 No CVEs
CF7 Mailgun Domain Validation

CF7 Mailgun Domain Validation

cf7-mailgun-domain-validation

A
100

Allows email addresses using your site’s Mailgun domain to pass Contact Form 7’s form validation feature.

10 No CVEs
Developer Profile

CF7 WOW Styler – Visual Styler for Contact Form 7 Forms Developer Profile

Saleswonder Team: Tobias

4 plugins · 3K total installs

78
trust score
Avg Security Score
86/100
Avg Patch Time
48 days
View full developer profile
Detection Fingerprints

How We Detect CF7 WOW Styler – Visual Styler for Contact Form 7 Forms

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/cf7-styler/assets/css/cf7-styler.css/wp-content/plugins/cf7-styler/assets/js/cf7-styler.js/wp-content/plugins/cf7-styler/assets/css/custom-style.css
Script Paths
/wp-content/plugins/cf7-styler/assets/js/cf7-styler.js
Version Parameters
cf7-styler/assets/css/cf7-styler.css?ver=cf7-styler/assets/js/cf7-styler.js?ver=cf7-styler/assets/css/custom-style.css?ver=

HTML / DOM Fingerprints

CSS Classes
cf7-styler-form-wrappercf7-styler-form-buildercf7-styler-fields-wrapper
HTML Comments
<!-- cf7-styler-form-wrapper --><!-- cf7-styler-fields-wrapper --><!-- cf7-styler-form-builder -->
Data Attributes
data-cf7-styler-id
JS Globals
cf7_styler_ajax_objectcf7_styler_plugin_url
REST Endpoints
/wp-json/cf7-styler/v1/forms/wp-json/cf7-styler/v1/settings
Shortcode Output
[cf7_styler_form]
FAQ

Frequently Asked Questions about CF7 WOW Styler – Visual Styler for Contact Form 7 Forms