WP-Safety

Constant Contact Forms Security & Risk Analysis

wordpress.org/plugins/constant-contact-forms

The official Constant Contact plugin adds a contact form to your WordPress site to quickly capture information from visitors.

20K active installs v2.16.2 PHP 8.1+ WP 6.4.0+ Updated Feb 23, 2026
constant-contactconstant-contact-officialcontactsmarketingnewsletter
99
A · Safe
CVEs total4
Unpatched0
Last CVEJan 3, 2024
Plugin page Download
Safety Verdict

Is Constant Contact Forms Safe to Use in 2026?

Generally Safe

Score 99/100

Constant Contact Forms has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Jan 3, 2024Updated 1mo ago
Risk Assessment

The 'constant-contact-forms' v2.16.2 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by using prepared statements for all SQL queries and a high percentage of properly escaped output. It also correctly utilizes nonce checks and capability checks for a significant number of its entry points. The absence of reported critical or high severity vulnerabilities, and specifically no currently unpatched CVEs, is a positive indicator. Furthermore, the taint analysis revealed no flows with unsanitized paths, suggesting that sensitive data may be handled with some care.

However, several significant concerns are highlighted by the static analysis. A substantial attack surface exists with 5 AJAX handlers, of which 4 lack authentication checks. This is a critical weakness as it opens the door for unauthorized actions or data exposure. The presence of dangerous functions like 'proc_open' and 'shell_exec' is also a notable risk, even without direct evidence of exploitation in taint analysis, as these functions can be leveraged for arbitrary code execution if vulnerabilities are present. The vulnerability history, while currently showing no unpatched issues, indicates a past pattern of medium severity vulnerabilities including Exposure of Sensitive Information, Missing Authorization, and Cross-site Scripting, suggesting a recurring need for diligent patching and secure coding practices.

In conclusion, while the plugin has made strides in securing its database interactions and output handling, the high number of unprotected AJAX endpoints and the presence of dangerous functions represent a significant security risk. The past vulnerability history, although currently clean, serves as a reminder of potential weaknesses. Addressing the unprotected AJAX handlers should be the immediate priority to improve the overall security of the plugin.

Key Concerns

  • Unprotected AJAX handlers
  • Presence of dangerous functions (proc_open, shell_exec)
  • History of medium severity vulnerabilities (4 total)
Vulnerabilities
4

Constant Contact Forms Security Vulnerabilities

CVEs by Year

1 CVE in 2020
2020
2 CVEs in 2023
2023
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
4

4 total CVEs

CVE-2023-52208medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Constant Contact Forms <= 2.4.2 - Information Disclosure via Log Files

Jan 3, 2024 Patched in 2.4.3 (20d)
WF-b8a26695-4793-418b-9a23-6709fe79ea4f-constant-contact-formsmedium · 4.3Missing Authorization

Constant Contact Forms <= 2.0.2 - Missing Authorization via constant_contact_privacy_ajax_handler

Jun 15, 2023 Patched in 2.0.3 (222d)
CVE-2023-34387medium · 4.3Missing Authorization

Constant Contact Forms <= 1.14.0 - Missing Authorization via constant_contact_optin_ajax_handler

Jun 3, 2023 Patched in 2.0.0 (234d)
CVE-2021-24134medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Constant Contact Forms <= 1.8.7 Editor+ Stored Cross-Site Scripting

Sep 6, 2020 Patched in 1.8.8 (1234d)
Code Analysis
Analyzed Mar 16, 2026

Constant Contact Forms Code Analysis

Dangerous Functions
3
Raw SQL Queries
0
4 prepared
Unescaped Output
30
428 escaped
Nonce Checks
5
Capability Checks
17
File Operations
30
External Requests
11
Bundled Libraries
0

Dangerous Functions Found

proc_open$this->process = proc_open($this->command, static::DESCRIPTOR_SPEC, $this->pipes, $this->cwd);vendor_prefixed\monolog\monolog\src\Monolog\Handler\ProcessHandler.php:115
shell_exec$branches = shell_exec('git branch -v --no-abbrev');vendor_prefixed\monolog\monolog\src\Monolog\Processor\GitProcessor.php:65
shell_exec$result = explode(' ', trim((string) shell_exec('hg id -nb')));vendor_prefixed\monolog\monolog\src\Monolog\Processor\MercurialProcessor.php:64

SQL Query Safety

100% prepared4 total queries

Output Escaping

93% escaped458 total outputs
Attack Surface
4 unprotected

Constant Contact Forms Attack Surface

Entry Points5
Unprotected4

AJAX Handlers 5

authwp_ajax_ctct_dismiss_first_modalconstant-contact-forms.php:464
noprivwp_ajax_ctct_dismiss_first_modalconstant-contact-forms.php:465
authwp_ajax_ctct_process_formincludes\class-process-form.php:49
noprivwp_ajax_ctct_process_formincludes\class-process-form.php:50
authwp_ajax_constant_contact_review_ajax_handlerincludes\helper-functions.php:136
WordPress Hooks 163
actionadmin_noticesconstant-contact-forms.php:359
actionadmin_noticesconstant-contact-forms.php:447
actioninitconstant-contact-forms.php:451
actionwidgets_initconstant-contact-forms.php:452
filterbody_classconstant-contact-forms.php:453
filterwidget_textconstant-contact-forms.php:457
actionadmin_enqueue_scriptsconstant-contact-forms.php:458
actionwp_enqueue_scriptsconstant-contact-forms.php:459
actioninitconstant-contact-forms.php:460
actionsave_postconstant-contact-forms.php:461
actionplugins_loadedconstant-contact-forms.php:1002
actionadmin_enqueue_scriptsincludes\class-admin-pages.php:45
actioncurrent_screenincludes\class-admin.php:97
actionadmin_initincludes\class-admin.php:98
actionadmin_menuincludes\class-admin.php:99
filtermanage_ctct_forms_posts_columnsincludes\class-admin.php:101
actionmanage_ctct_forms_posts_custom_columnincludes\class-admin.php:102
filtermanage_ctct_lists_posts_columnsincludes\class-admin.php:104
actionmanage_ctct_lists_posts_custom_columnincludes\class-admin.php:105
actionadmin_enqueue_scriptsincludes\class-admin.php:109
actionin_admin_headerincludes\class-admin.php:122
actioninitincludes\class-api.php:167
actionctct_refresh_token_jobincludes\class-api.php:168
actionctct_access_token_acquiredincludes\class-api.php:169
filtercron_schedulesincludes\class-api.php:206
filterconstant_contact_force_loggingincludes\class-api.php:338
filterconstant_contact_force_loggingincludes\class-api.php:349
filterconstant_contact_force_loggingincludes\class-api.php:387
filterconstant_contact_force_loggingincludes\class-api.php:398
filterconstant_contact_force_loggingincludes\class-api.php:448
filterconstant_contact_force_loggingincludes\class-api.php:455
filterconstant_contact_force_loggingincludes\class-api.php:466
filterconstant_contact_force_loggingincludes\class-api.php:509
filterconstant_contact_force_loggingincludes\class-api.php:520
filterconstant_contact_force_loggingincludes\class-api.php:564
filterconstant_contact_force_loggingincludes\class-api.php:575
filterconstant_contact_force_loggingincludes\class-api.php:612
filterconstant_contact_force_loggingincludes\class-api.php:623
filterconstant_contact_force_loggingincludes\class-api.php:656
filterconstant_contact_force_loggingincludes\class-api.php:667
filterconstant_contact_force_loggingincludes\class-api.php:713
filterconstant_contact_force_loggingincludes\class-api.php:724
filterconstant_contact_force_loggingincludes\class-api.php:758
filterconstant_contact_force_loggingincludes\class-api.php:769
filterconstant_contact_force_loggingincludes\class-api.php:834
filterconstant_contact_force_loggingincludes\class-api.php:845
filterconstant_contact_force_loggingincludes\class-api.php:964
filterconstant_contact_force_loggingincludes\class-api.php:975
filterwp_mail_content_typeincludes\class-api.php:1852
actioncmb2_render_ctct_forms_list_selectionincludes\class-attached-lists-field.php:31
actioncmb2_sanitize_ctct_forms_list_selectionincludes\class-attached-lists-field.php:32
actioncmb2_attached_posts_field_add_find_posts_divincludes\class-attached-lists-field.php:34
actioncmb2_after_initincludes\class-attached-lists-field.php:35
actionadmin_footerincludes\class-attached-lists-field.php:47
actionwp_footerincludes\class-attached-lists-field.php:398
actionpre_get_postsincludes\class-attached-lists-field.php:426
actioninitincludes\class-beaver-builder.php:38
actioninitincludes\class-block.php:39
actioninitincludes\class-builder-fields.php:74
actioninitincludes\class-builder-fields.php:75
actioncmb2_admin_initincludes\class-builder-fields.php:106
actioncmb2_admin_initincludes\class-builder-fields.php:107
actioncmb2_admin_initincludes\class-builder-fields.php:108
actioncmb2_admin_initincludes\class-builder-fields.php:109
actioncmb2_admin_initincludes\class-builder-fields.php:110
actioncmb2_admin_initincludes\class-builder-fields.php:111
actioncmb2_admin_initincludes\class-builder-fields.php:112
actioncmb2_admin_initincludes\class-builder-fields.php:113
actioncmb2_admin_initincludes\class-builder-fields.php:114
actioncmb2_admin_initincludes\class-builder-fields.php:115
filtercmb2_override__ctct_generated_shortcode_meta_saveincludes\class-builder-fields.php:116
actioncmb2_render_reset_css_buttonincludes\class-builder-fields.php:117
actionadmin_enqueue_scriptsincludes\class-builder-fields.php:118
actioninitincludes\class-builder.php:56
actioncmb2_after_post_form_ctct_0_description_metaboxincludes\class-builder.php:77
actioncmb2_save_fieldincludes\class-builder.php:78
actionadmin_noticesincludes\class-builder.php:79
actionsave_postincludes\class-builder.php:80
filterredirect_post_locationincludes\class-builder.php:250
actioninitincludes\class-connect.php:80
actionplugins_loadedincludes\class-connect.php:81
actionadmin_menuincludes\class-connect.php:82
actioninitincludes\class-cpts.php:47
actioninitincludes\class-cpts.php:48
filterpost_updated_messagesincludes\class-cpts.php:50
filterenter_title_hereincludes\class-cpts.php:51
filterpost_row_actionsincludes\class-cpts.php:53
actionadmin_menuincludes\class-cpts.php:54
actionadmin_noticesincludes\class-cpts.php:55
actionwp_enqueue_scriptsincludes\class-display-shortcode.php:57
actionwp_enqueue_scriptsincludes\class-display.php:53
actionwp_enqueue_scriptsincludes\class-display.php:54
actionelementor/widgets/widgets_registeredincludes\class-elementor.php:48
filterscript_loader_tagincludes\class-hcaptcha.php:246
filterdebug_informationincludes\class-health.php:16
actioncmb2_admin_initincludes\class-lists.php:52
actioncmb2_admin_initincludes\class-lists.php:53
actionsave_post_ctct_listsincludes\class-lists.php:55
actiontransition_post_statusincludes\class-lists.php:56
actionwp_trash_postincludes\class-lists.php:58
actioncmb2_after_post_form_ctct_list_metaboxincludes\class-lists.php:60
actioncmb2_render_constant_contact_list_informationincludes\class-lists.php:61
filterviews_edit-ctct_listsincludes\class-lists.php:63
actionadmin_initincludes\class-lists.php:64
filterpost_row_actionsincludes\class-lists.php:66
actionadmin_initincludes\class-lists.php:68
actionconstant_contact_sync_listsincludes\class-lists.php:71
actionupdate_option__ctct_access_tokenincludes\class-lists.php:74
filteradmin_body_classincludes\class-lists.php:772
actionadmin_noticesincludes\class-lists.php:777
actionadmin_menuincludes\class-logging.php:143
actionadmin_initincludes\class-logging.php:144
actionadmin_initincludes\class-logging.php:145
actionadmin_enqueue_scriptsincludes\class-logging.php:146
actionadmin_footerincludes\class-logging.php:147
actionadmin_initincludes\class-logging.php:148
filterwp_mail_content_typeincludes\class-mail.php:353
filterwp_kses_allowed_htmlincludes\class-notification-content.php:116
filterconstant_contact_notificationsincludes\class-notification-content.php:409
filterconstant_contact_notificationsincludes\class-notification-content.php:429
filterconstant_contact_notificationsincludes\class-notification-content.php:448
filterconstant_contact_notificationsincludes\class-notification-content.php:467
filterconstant_contact_notificationsincludes\class-notification-content.php:486
filterconstant_contact_notificationsincludes\class-notification-content.php:504
filterconstant_contact_notificationsincludes\class-notification-content.php:523
filterconstant_contact_notificationsincludes\class-notification-content.php:543
filterconstant_contact_notificationsincludes\class-notification-content.php:564
actionadmin_noticesincludes\class-notifications.php:82
filterscript_loader_tagincludes\class-recaptcha-v2.php:68
actioncmb2_admin_initincludes\class-settings.php:71
actioncmb2_admin_initincludes\class-settings.php:72
actioncmb2_admin_initincludes\class-settings.php:73
actionadmin_menuincludes\class-settings.php:75
filterparent_fileincludes\class-settings.php:76
filterpreprocess_commentincludes\class-settings.php:80
filterauthenticateincludes\class-settings.php:81
actionuser_registerincludes\class-settings.php:82
actioncmb2_save_field__ctct_loggingincludes\class-settings.php:83
filterconstant_contact_custom_spam_messageincludes\class-settings.php:84
actionlogin_formincludes\class-settings.php:126
actioncomment_formincludes\class-settings.php:127
actionregister_formincludes\class-settings.php:129
actionsignup_extra_fieldsincludes\class-settings.php:130
actionlogin_headincludes\class-settings.php:131
actionadmin_enqueue_scriptsincludes\class-settings.php:132
filterscript_loader_tagincludes\class-turnstile.php:239
actionplugins_loadedincludes\class-updates.php:47
filterconstant_contact_process_form_successincludes\class-user-customizations.php:46
filterconstant_contact_front_form_actionincludes\class-user-customizations.php:47
filterconstant_contact_destination_emailincludes\class-user-customizations.php:48
filtercta_excluded_post_typesincludes\compatibility.php:27
filterconstant_contact_ignored_post_form_valuesincludes\compatibility.php:42
filterconstant_contact_ignored_post_form_valuesincludes\compatibility.php:57
filterconstant_contact_ignored_post_form_valuesincludes\compatibility.php:116
filterconstant_contact_ignored_post_form_valuesincludes\compatibility.php:131
filterconstant_contact_recaptcha_langincludes\compatibility.php:146
filterconstant_contact_recaptcha_langincludes\compatibility.php:164
actionwp_headincludes\helper-functions.php:159
filterconstant_contact_maybe_spamincludes\helper-functions.php:223
filterconstant_contact_maybe_spamincludes\helper-functions.php:375
actiontrash_ctct_formsincludes\helper-functions.php:708
actionuntrashed_postincludes\helper-functions.php:729
actionadmin_headincludes\helper-functions.php:790

Scheduled Events 1

ctct_refresh_token_job
Maintenance & Trust

Constant Contact Forms Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 23, 2026
PHP min version8.1
Downloads2.7M

Community Trust

Rating54/100
Number of ratings100
Active installs20K
Alternatives

Constant Contact Forms Alternatives

Constant Contact Forms by MailMunch

Constant Contact Forms by MailMunch

constant-contact-forms-by-mailmunch

A
98

The #1 Constant Contact plugin to get more email subscribers. Easily add Constant Contact sign-up forms as popup, embedded widget or sticky top bar.

3K 3 CVEs
Hostinger Reach – AI-Powered Email Marketing for WordPress

Hostinger Reach – AI-Powered Email Marketing for WordPress

hostinger-reach

A
100

Launch and grow your email marketing effortlessly with Hostinger Reach. Collect contacts, sync subscribers, and send emails – all in one, AI powered.

1.0M No CVEs
MailPoet – Newsletters, Email Marketing, and Automation

MailPoet – Newsletters, Email Marketing, and Automation

mailpoet

A
98

Send beautiful newsletters from WordPress. Collect subscribers with signup forms, automate your emails for WooCommerce, blog post notifications & more

500K 3 CVEs
Creative Mail – Easier WordPress & WooCommerce Email Marketing

Creative Mail – Easier WordPress & WooCommerce Email Marketing

creative-mail-by-constant-contact

A
90

Creative Mail was designed specifically for WordPress and WooCommerce. Our intelligent (and super fun) email editor simplifies email marketing campaig &hellip;

300K 3 CVEs
Newsletter – Send awesome emails from WordPress

Newsletter – Send awesome emails from WordPress

newsletter

A
89

An email marketing tool for your blog: subscription forms to create your lists with unlimited subscribers and newsletters.

200K 20 CVEs
Developer Profile

Constant Contact Forms Developer Profile

Constant Contact

3 plugins · 321K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
384 days
View full developer profile
Detection Fingerprints

How We Detect Constant Contact Forms

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/constant-contact-forms/assets/css/ctct-admin.css/wp-content/plugins/constant-contact-forms/assets/css/ctct-frontend.css/wp-content/plugins/constant-contact-forms/assets/js/ctct-admin.js/wp-content/plugins/constant-contact-forms/assets/js/ctct-frontend.js/wp-content/plugins/constant-contact-forms/assets/js/vendor/tinymce/plugins/compat3x/table.js/wp-content/plugins/constant-contact-forms/assets/js/vendor/tinymce/plugins/compat3x/lists.js/wp-content/plugins/constant-contact-forms/assets/js/vendor/tinymce/plugins/compat3x/source_view.js/wp-content/plugins/constant-contact-forms/assets/js/vendor/tinymce/plugins/compat3x/paste.js+23 more
Script Paths
/wp-content/plugins/constant-contact-forms/assets/js/ctct-admin.js/wp-content/plugins/constant-contact-forms/assets/js/ctct-frontend.js
Version Parameters
constant-contact-forms/assets/css/ctct-admin.css?ver=constant-contact-forms/assets/css/ctct-frontend.css?ver=constant-contact-forms/assets/js/ctct-admin.js?ver=constant-contact-forms/assets/js/ctct-frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
ctct-form-containerctct-formctct-form-fieldctct-form-labelctct-form-inputctct-form-textareactct-form-submitctct-form-error+23 more
HTML Comments
<!-- The main Constant Contact Forms plugin file --><!-- Autoloads files with classes when needed. --><!-- Main initiation class. --><!-- Creates or returns an instance of this class. -->+34 more
Data Attributes
data-ctct-form-iddata-ctct-form-namedata-ctct-form-actiondata-ctct-field-iddata-ctct-field-namedata-ctct-field-type+4 more
JS Globals
ctct_admin_paramsctct_frontend_paramsConstantContactFormctct_form_data
REST Endpoints
/wp-json/constant-contact-forms/v1/submit/wp-json/constant-contact-forms/v1/settings/wp-json/constant-contact-forms/v1/lists/wp-json/constant-contact-forms/v1/forms/wp-json/constant-contact-forms/v1/templates
Shortcode Output
[ctct-form id="[ctct-form name="
FAQ

Frequently Asked Questions about Constant Contact Forms