WP-Safety

Submission DOM tracking for Contact Form 7 Security & Risk Analysis

wordpress.org/plugins/cf7-submission-dom-tracking

Track succesfull form submissions with Contact Form 7 using DOM events

500 active installs v2.2 PHP 5.5+ WP 4.0.1+ Updated Feb 1, 2026
contact-formformform-submissiontrack-formstracking-forms
99
A · Safe
CVEs total1
Unpatched0
Last CVEMay 7, 2025
Download
Safety Verdict

Is Submission DOM tracking for Contact Form 7 Safe to Use in 2026?

Generally Safe

Score 99/100

Submission DOM tracking for Contact Form 7 has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: May 7, 2025Updated 3mo ago
Risk Assessment

The cf7-submission-dom-tracking plugin v2.2 exhibits a generally positive security posture based on the provided static analysis. The absence of AJAX handlers, REST API routes, shortcodes, and cron events significantly limits its attack surface. Furthermore, the code demonstrates good practices with all SQL queries using prepared statements and no file operations or external HTTP requests, reducing common vulnerability vectors. The presence of a capability check, though singular, is a positive sign. However, the 31% of improperly escaped output is a concern, as it represents a potential avenue for Cross-Site Scripting (XSS) vulnerabilities, especially given the plugin's history. The plugin has a single known CVE, which is reportedly patched, but the historical trend of XSS vulnerabilities suggests a need for continued vigilance in output sanitization.

Key Concerns

  • Significant portion of output not properly escaped
  • History of XSS vulnerabilities
  • Single capability check found
Vulnerabilities
1 published

Submission DOM tracking for Contact Form 7 Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-47626medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Submission DOM tracking for Contact Form 7 <= 2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

May 7, 2025 Patched in 2.2 (273d)
Version History

Submission DOM tracking for Contact Form 7 Release Timeline

v2.2Current
Code Analysis
Analyzed Mar 16, 2026

Submission DOM tracking for Contact Form 7 Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
8
18 escaped
Nonce Checks
0
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

69% escaped26 total outputs
Attack Surface

Submission DOM tracking for Contact Form 7 Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 7
actionwp_print_stylescontact-form-7-s-dom-tracking.php:52
actionwp_print_scriptscontact-form-7-s-dom-tracking.php:67
actionwp_footercontact-form-7-s-dom-tracking.php:82
actionadmin_initcontact-form-7-s-dom-tracking.php:229
actionadmin_menucontact-form-7-s-dom-tracking.php:255
actionadmin_initcontact-form-7-s-dom-tracking.php:266
actionplugins_loadedcontact-form-7-s-dom-tracking.php:317
Maintenance & Trust

Submission DOM tracking for Contact Form 7 Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 1, 2026
PHP min version5.5
Downloads13K

Community Trust

Rating100/100
Number of ratings1
Active installs500
Alternatives

Submission DOM tracking for Contact Form 7 Alternatives

FormsDB – Save Elementor Forms to Google Sheets & Post Type

FormsDB – Save Elementor Forms to Google Sheets & Post Type

sb-elementor-contact-form-db

A
93

Connect Elementor forms with Google Sheets to sync form entries, or save form submissions in any post type using Elementor Pro or Hello Plus forms.

20K 4 CVEs
ShopMagic for Contact Form 7 and WooCommerce

ShopMagic for Contact Form 7 and WooCommerce

shopmagic-for-contact-form-7

A
100

Allows creating WooCommerce marketing automation and emailing WordPress users based on Contact Form 7 submission. You can use this Contact Form 7 inte &hellip;

300 No CVEs
Contact Form 7 Database Manager Addon – CF7DBM

Contact Form 7 Database Manager Addon – CF7DBM

form-data-manager

A
92

Save contact form 7 submissions to the WP database with this CF7 addon. Never lose important messages, leads, and requests again.

200 No CVEs
Contact Form Extender for Divi – Submissions DB & Extra Fields

Contact Form Extender for Divi – Submissions DB & Extra Fields

contact-form-extender-for-divi-builder

A
94

Extend Divi Contact Form module with file upload field, country code dropdown and save Divi form submissions in the database.

100 1 CVE
AroksDS Submission Alerts for Contact Form 7 to Telegram

AroksDS Submission Alerts for Contact Form 7 to Telegram

aroksds-alerts-for-cf7-to-telegram

A
100

Stop losing leads: send Contact Form 7 submissions to a shared Telegram channel as a reliable backup to email.

10 No CVEs
Developer Profile

Submission DOM tracking for Contact Form 7 Developer Profile

apasionados

28 plugins · 60K total installs

74
trust score
Avg Security Score
93/100
Avg Patch Time
326 days
View full developer profile
Detection Fingerprints

How We Detect Submission DOM tracking for Contact Form 7

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Script Paths
/wp-content/plugins/cf7-submission-dom-tracking/cf7-submission-dom-tracking.php
Version Parameters
cf7-submission-dom-tracking/style.css?ver=cf7-submission-dom-tracking/script.js?ver=

HTML / DOM Fingerprints

JS Globals
apa_cf7sdomt_f_global_varsapacf7sdomtglobalformsapacf7sdomtglobalapa_cf7sdomt_Tracker__gaTrackerga+7 more
Shortcode Output
<script type="text/javascript"> document.addEventListener('wpcf7mailsent', function(event) { var el = document.getElementById('hidecontactform7contactform'); if (el) { el.style.display = 'none'; } __gaTracker('send','event', ga('send','event',
FAQ

Frequently Asked Questions about Submission DOM tracking for Contact Form 7