Does cformsII have any unpatched vulnerabilities?

No. All known vulnerabilities in cformsII have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is cformsII compatible with WordPress 6.9.4?

According to WordPress.org data, cformsII 15.1.3 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is cformsII updated?

cformsII was last updated on Mar 10, 2026. Frequent updates are generally a positive security signal.

What is cformsII's security score?

cformsII has a WP-Safety security score of 93/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

cformsII Security & Risk Analysis

wordpress.org/plugins/cforms2

This is a fork of cformsII, a highly customizable, flexible and powerful form builder plugin, covering a variety of use cases and features.

4K active installs v15.1.3 PHP + WP 6.9+ Updated Mar 10, 2026

contactforkformmulti-stepsidebar

A · Safe

CVEs total11

Unpatched0

Last CVEJan 15, 2024

Plugin page Download

Safety Verdict

Is cformsII Safe to Use in 2026?

Generally Safe

Score 93/100

cformsII has a strong security track record. Known vulnerabilities have been patched promptly.

11 known CVEsLast CVE: Jan 15, 2024Updated 25d ago

Risk Assessment

The cforms2 plugin version 15.1.3 presents a significant security risk due to its history of vulnerabilities and concerning static analysis findings. While the plugin has no currently unpatched CVEs, the sheer volume of past vulnerabilities (11 total), including 2 critical and 3 high-severity issues, strongly suggests a pattern of insecure coding practices. The historical vulnerability types, such as Cross-site Scripting, SQL Injection, and Cross-Site Request Forgery, are common and can lead to serious compromises.

The static analysis reveals several immediate concerns. A notable portion of the plugin's attack surface is unprotected, with 3 out of 4 entry points (AJAX handlers and shortcodes) lacking authentication checks, creating opportunities for unauthorized actions. The absence of prepared statements for the single SQL query is a direct pathway to SQL injection vulnerabilities. Furthermore, the plugin exhibits a very low rate of proper output escaping (9%), making it highly susceptible to Cross-Site Scripting attacks across many of its output points.

While the absence of critical taint flows and file operations is a minor positive, these strengths are heavily outweighed by the identified risks. The plugin's historical track record, combined with the high number of unprotected entry points, raw SQL queries, and poor output escaping, indicates a plugin that is inherently insecure and requires immediate attention, likely through updating or replacement.

Key Concerns

Multiple unprotected AJAX handlers
Raw SQL query without prepared statements
Very low rate of proper output escaping
Presence of shortcode without auth check
High number of total CVEs, indicating recurring issues
History of critical and high severity vulnerabilities

Vulnerabilities

cformsII Security Vulnerabilities

CVEs by Year

2 CVEs in 2010

2010

2 CVEs in 2014

2014

1 CVE in 2015

2015

2 CVEs in 2017

2017

1 CVE in 2019

2019

1 CVE in 2023

2023

2 CVEs in 2024

2024

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

11 total CVEs

CVE-2024-22149high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

cformsII <= 15.0.6 - Unauthenticated Stored Cross-Site Scripting

Jan 15, 2024 Patched in 15.0.7 (473d)

CVE-2023-52203medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

cformsII <= 15.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jan 3, 2024 Patched in 15.0.7 (485d)

CVE-2023-25449medium · 4.3Cross-Site Request Forgery (CSRF)

cformsII <= 15.0.4 - Cross-Site Request Forgery leading to Settings Updates

Mar 8, 2023 Patched in 15.0.5 (321d)

CVE-2019-15238high · 8.8Cross-Site Request Forgery (CSRF)

CformsII <= 15.0.1 - Unauthenticated HTML Injection & Cross-Site Request Forgery

Aug 12, 2019 Patched in 15.0.2 (1625d)

CVE-2017-18559medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

cformsII <= 14.13.2 - Cross-Site Scripting

Apr 28, 2017 Patched in 14.13.3 (2461d)

CVE-2017-18570high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

cformsII <= 14.12.3 - Authenticated SQL Injection

Apr 24, 2017 Patched in 14.13 (2465d)

CVE-2015-9333critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

cformsII < 14.6.10 - SQL Injection

Apr 11, 2015 Patched in 14.6.10 (3209d)

CVE-2014-9473critical · 9.8Unrestricted Upload of File with Dangerous Type

cformsII < 14.8 - Arbitrary File Upload

Dec 29, 2014 Patched in 14.8 (3312d)

CVE-2014-10377medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

cformsII <= 13.1 - Cross-Site Scripting

Oct 16, 2014 Patched in 13.2 (3386d)

WF-4bc58312-ef3d-487b-87fb-9a15a8c6559f-cforms2medium · 5.3Guessable CAPTCHA

CformsII <= 14.10.1 - CAPTCHA Bypass

Dec 15, 2010 Patched in 14.11 (4787d)

CVE-2010-3977medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CformsII <=11.5 - Cross-Site Scripting

Nov 2, 2010 Patched in 11.6.1 (4830d)

Code Analysis

Analyzed Mar 16, 2026

cformsII Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

107

10 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

TinyMCE

SQL Query Safety

0% prepared1 total queries

Output Escaping

9% escaped117 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

<cforms-corrupted> (cforms-corrupted.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

cformsII Attack Surface

Entry Points4

Unprotected3

AJAX Handlers 3

authwp_ajax_cforms2_fieldcforms.php:86

authwp_ajax_submitcformcforms.php:101

noprivwp_ajax_submitcformcforms.php:102

Shortcodes 1

[cforms] cforms.php:112

WordPress Hooks 22

actionadmin_footercforms-options.php:983

actioninitcforms.php:68

actionadmin_menucforms.php:72

actionadmin_enqueue_scriptscforms.php:82

actionadmin_menucforms.php:85

actionadmin_bar_menucforms.php:93

actionadmin_bar_menucforms.php:95

actiontemplate_redirectcforms.php:100

actionplugins_loadedcforms.php:103

actionwidgets_initcforms.php:106

actioninitcforms.php:109

actionwp_enqueue_scriptscforms.php:110

actionwp_mail_failedcforms.php:111

filterwp_mail_charsetEmail.php:226

filtercforms2_add_fieldtypeFieldtypes\captcha.php:59

filtercforms2_add_captchaFieldtypes\captcha.php:60

filtercforms2_add_fieldtypeFieldtypes\Fieldtype.php:107

filtermce_external_pluginslib_editor.php:56

filterwp_mce_translationlib_editor.php:57

filtermce_buttonslib_editor.php:58

actionadmin_print_scriptslib_editor.php:59

actionadmin_enqueue_scriptslib_functions.php:26

Maintenance & Trust

cformsII Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 10, 2026

PHP min version

Downloads257K

Community Trust

Rating86/100

Number of ratings21

Active installs4K

Alternatives

cformsII Alternatives

MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

metform

The most popular Elementor forms builder to create WordPress forms like contact forms, booking forms, feedback form, survey forms, application forms a …

600K 26 CVEs

Smart Grid-Layout Design for Contact Form 7

cf7-grid-layout

This plugins allow pure CSS responsive grid layouts for contact form 7. It enables rich interlinking of your CMS data via taxonomy/posts populated dr …

10K No CVEs

NEX-Forms – Ultimate Forms Plugin for WordPress

nex-forms-express-wp-form-builder

Build beautiful responsive forms for WordPress. Contact forms, surveys, quizzes, booking forms, payments, popups & more with NEX-Forms...

7K 30 CVEs

Contact Form 7 Widget

contact-form-7-widget

Use your Contact Form 7 forms and other shortcodes in your sidebars.

2K No CVEs

NEX-Forms ADD ON – Form Themes

nex-forms-form-themes-add-on

100

Build beautiful responsive forms for WordPress. Contact forms, surveys, quizzes, booking forms, payments, popups & more with NEX-Forms...

1K No CVEs

Developer Profile

cformsII Developer Profile

bgermann

2 plugins · 4K total installs

trust score

Avg Security Score

93/100

Avg Patch Time

2487 days

View full developer profile

Detection Fingerprints

How We Detect cformsII

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/cforms2/styling//wp-content/plugins/cforms2/js/cforms.js/wp-content/plugins/cforms2/js/jquery.cforms.js

Script Paths

/wp-content/plugins/cforms2/js/cforms.js/wp-content/plugins/cforms2/js/jquery.cforms.js

Version Parameters

cforms2/style.css?ver=cforms2?ver=

HTML / DOM Fingerprints

CSS Classes

cforms-containercforms-errorcforms-successcforms-field

HTML Comments

Data Attributes

data-cf7-validation-errordata-cforms2-id

JS Globals

cforms2_ajax

Shortcode Output

[cforms]

FAQ