Does ChiliForms have any unpatched vulnerabilities?

No. All known vulnerabilities in ChiliForms have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is ChiliForms compatible with WordPress 4.6.30?

According to WordPress.org data, ChiliForms 0.5.1 has been tested up to WordPress 4.6.30. Check the plugin's changelog for the latest compatibility information.

How often is ChiliForms updated?

ChiliForms was last updated on Dec 3, 2016. Frequent updates are generally a positive security signal.

What is ChiliForms's security score?

ChiliForms has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

ChiliForms Security & Risk Analysis

wordpress.org/plugins/chiliforms

Easy to use drag-n-drop contact form builder plugin for your blog or website.

10 active installs v0.5.1 PHP + WP 3.0.1+ Updated Dec 3, 2016

ajaxcontact-formemailformform-builder

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is ChiliForms Safe to Use in 2026?

Generally Safe

Score 85/100

ChiliForms has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 9yr ago

Risk Assessment

The chiliforms plugin v0.5.1 exhibits a mixed security posture. On one hand, it demonstrates good practices in its SQL query handling and output escaping, with a high percentage of queries using prepared statements and a very high percentage of outputs being properly escaped. The absence of known CVEs and a clean vulnerability history is also a positive sign, suggesting a generally stable codebase. However, a significant concern arises from its attack surface. With 13 out of 14 entry points being AJAX handlers that lack authentication checks, the plugin exposes a substantial portion of its functionality to unauthorized users. This presents a high risk of potential exploitation if any of these AJAX actions can be triggered with malicious intent.

The static analysis reveals one use of the dangerous `create_function` in the code. While taint analysis shows no critical or high-severity flows, the presence of a dangerous function combined with the large number of unprotected AJAX endpoints warrants caution. The limited scope of capability checks (only 5) further exacerbates the risk associated with the unprotected AJAX handlers, as there's a lack of granular access control.

In conclusion, while chiliforms v0.5.1 has strengths in its data handling and a clean vulnerability history, its most significant weakness is the extensive exposure of AJAX endpoints without proper authentication. This is a critical security flaw that could lead to various vulnerabilities, including privilege escalation or denial-of-service attacks, depending on the functionality of these handlers. The presence of `create_function` is a secondary, though still important, concern.

Key Concerns

AJAX handlers without auth checks
Use of dangerous function: create_function
Limited capability checks

Vulnerabilities

None known

ChiliForms Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

ChiliForms Code Analysis

Dangerous Functions

Raw SQL Queries

16 prepared

Unescaped Output

207 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

create_functionadd_action( 'admin_notices', create_function( '',chiliforms.php:11

SQL Query Safety

73% prepared22 total queries

Output Escaping

92% escaped224 total outputs

Attack Surface

13 unprotected

ChiliForms Attack Surface

Entry Points14

Unprotected13

AJAX Handlers 13

authwp_ajax_kcf_create_formmodules\actions\KCF_AjaxActions.php:15

authwp_ajax_kcf_delete_formmodules\actions\KCF_AjaxActions.php:16

authwp_ajax_kcf_save_formmodules\actions\KCF_AjaxActions.php:17

authwp_ajax_kcf_activate_formmodules\actions\KCF_AjaxActions.php:18

authwp_ajax_kcf_deactivate_formmodules\actions\KCF_AjaxActions.php:19

authwp_ajax_kcf_mark_entries_as_readmodules\actions\KCF_AjaxActions.php:20

authwp_ajax_kcf_mark_entries_as_unreadmodules\actions\KCF_AjaxActions.php:21

authwp_ajax_kcf_mark_entries_as_starredmodules\actions\KCF_AjaxActions.php:22

authwp_ajax_kcf_mark_entries_as_unstarredmodules\actions\KCF_AjaxActions.php:23

authwp_ajax_kcf_delete_entriesmodules\actions\KCF_AjaxActions.php:24

authwp_ajax_kcf_save_plugin_settingsmodules\actions\KCF_AjaxActions.php:25

authwp_ajax_kcf_submit_formmodules\actions\KCF_AjaxActions.php:28

noprivwp_ajax_kcf_submit_formmodules\actions\KCF_AjaxActions.php:29

Shortcodes 1

[chiliforms] modules\api\api.php:24

WordPress Hooks 10

actionadmin_noticeschiliforms.php:11

filterthe_postsmodules\app\KCF_AppController.php:28

actionwp_enqueue_scriptsmodules\app\KCF_AppController.php:34

actionadmin_menumodules\pages\entries\KCF_BaseEntriesPageController.php:12

actionadmin_enqueue_scriptsmodules\pages\entries\KCF_BaseEntriesPageController.php:13

actionadmin_menumodules\pages\forms\KCF_BaseFormsPageController.php:12

actionadmin_enqueue_scriptsmodules\pages\forms\KCF_BaseFormsPageController.php:13

actionadmin_menumodules\pages\KCF_AdminPageController.php:10

actionadmin_menumodules\pages\options\KCF_BaseOptionsPageController.php:12

actionadmin_enqueue_scriptsmodules\pages\options\KCF_BaseOptionsPageController.php:13

Maintenance & Trust

ChiliForms Maintenance & Trust

Maintenance Signals

WordPress version tested4.6.30

Last updatedDec 3, 2016

PHP min version

Downloads2K

Community Trust

Rating100/100

Number of ratings1

Active installs10

Alternatives

ChiliForms Alternatives

WPZOOM Forms – Drag & Drop Contact Form Builder for WordPress

wpzoom-forms

100

Drag & drop contact form builder for WordPress. Create contact forms, custom forms, email forms with spam protection. Works with Elementor, shortcodes

10K No CVEs

Contact Form Widget

new-contact-form-widget

Create contact forms with query table management. Simple setup, secure submissions, and easy customization for your site.

1K 1 unpatched

Quick Contact Form

quick-contact-form

An easy to set up, plug and play contact form with a huge range of options and styles. A beginner friendly WordPress contact form plugin.

1K 7 CVEs

Contact Forms by Cimatti

contact-forms

Create and publish forms in your WordPress website with drag and drop. Contact forms, landing page forms, invitations, and more.

700 11 CVEs

Contact Form X

contact-form-x

100

Displays a user-friendly contact form that your visitors will love. Lightweight, fast, secure, and accessible (ADA/WCAG compliant).

400 1 CVE

Developer Profile

ChiliForms Developer Profile

KonstruktStudio

3 plugins · 70 total installs

trust score

Avg Security Score

90/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect ChiliForms

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/chiliforms/js/build/clientside/chiliforms.js/wp-content/plugins/chiliforms/assets/css/bundle/chiliforms.css/wp-content/plugins/chiliforms/js/build/admin/react.bundle.js/wp-content/plugins/chiliforms/js/build/admin/chiliforms.bundle.js/wp-content/plugins/chiliforms/assets/css/bundle/admin.css

Script Paths

js/build/clientside/chiliforms.jsjs/build/admin/react.bundle.jsjs/build/admin/chiliforms.bundle.js

Version Parameters

chiliforms.js?ver=chiliforms.css?ver=react.bundle.js?ver=chiliforms.bundle.js?ver=admin.css?ver=

HTML / DOM Fingerprints

CSS Classes

chiliforms-form-wrapper

HTML Comments

Data Attributes

data-kcf-form-id

JS Globals

KCFDataKCF_VERSION

FAQ