WP-Safety

Contact Form 7 Security & Risk Analysis

wordpress.org/plugins/contact-form-7

Just another contact form plugin. Simple but flexible.

10.0M active installs v6.1.5 PHP 7.4+ WP 6.7+ Updated Feb 8, 2026
contact-formschema-woven-validation
89
A · Safe
CVEs total8
Unpatched0
Last CVEApr 15, 2025
Plugin page Download
Safety Verdict

Is Contact Form 7 Safe to Use in 2026?

Generally Safe

Score 89/100

Contact Form 7 has a strong security track record. Known vulnerabilities have been patched promptly.

8 known CVEsLast CVE: Apr 15, 2025Updated 1mo ago
Risk Assessment

Contact Form 7 v6.1.5 demonstrates a generally strong security posture with robust use of prepared statements for SQL queries and a high percentage of properly escaped output. The plugin also implements a good number of nonce and capability checks, indicating an awareness of common WordPress security practices. The static analysis reveals a small attack surface, with no unprotected entry points detected. However, the plugin's history of 8 known CVEs, including one critical and one high-severity vulnerability, is a significant concern. The types of past vulnerabilities, such as Cross-site Scripting and Improper Authorization, suggest recurring areas where validation or access control might have been insufficient. While the current version has no unpatched CVEs and the taint analysis shows no critical or high-severity flows, the historical pattern of vulnerabilities necessitates caution. The presence of file operations and external HTTP requests, although not flagged as immediate risks in this analysis, could be potential avenues for future vulnerabilities if not meticulously managed.

Key Concerns

  • History of 1 critical CVE
  • History of 1 high severity CVE
  • History of 6 medium severity CVEs
  • 1 file operation detected
  • 13 external HTTP requests detected
Vulnerabilities
8

Contact Form 7 Security Vulnerabilities

CVEs by Year

2 CVEs in 2014
2014
1 CVE in 2018
2018
1 CVE in 2020
2020
1 CVE in 2023
2023
2 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
High
1
Medium
6

8 total CVEs

CVE-2025-3247medium · 5.3Improper Validation of Integrity Check Value

Contact Form 7 <= 6.0.5 - Order Replay Vulnerability

Apr 15, 2025 Patched in 6.0.6 (1d)
CVE-2024-4704medium · 6.1URL Redirection to Untrusted Site ('Open Redirect')

Contact Form 7 <= 5.9.4 - Unauthenticated Open Redirect

Jun 5, 2024 Patched in 5.9.5 (27d)
CVE-2024-2242medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form 7 <= 5.9 - Reflected Cross-Site Scripting

Mar 13, 2024 Patched in 5.9.2 (1d)
CVE-2023-6449medium · 6.6Unrestricted Upload of File with Dangerous Type

Contact Form 7 <= 5.8.3 - Authenticated (Editor+) Arbitrary File Upload

Nov 30, 2023 Patched in 5.8.4 (54d)
CVE-2020-35489high · 8.1Unrestricted Upload of File with Dangerous Type

Contact Form 7 <= 5.3.1 - Arbitrary File Upload via Bypass

Dec 17, 2020 Patched in 5.3.2 (1132d)
CVE-2018-20979medium · 6.3Improper Authorization

Contact Form 7 <= 5.0.3 - Authorization Bypass

Sep 4, 2018 Patched in 5.0.4 (1967d)
WF-92298f2d-aced-4177-b6e8-36e153e9c930-contact-form-7critical · 9.8Unrestricted Upload of File with Dangerous Type

Contact Form 7 <= 3.5.2 - Arbitrary File Upload

Aug 1, 2014 Patched in 3.5.3 (3462d)
CVE-2014-2265medium · 5.3Protection Mechanism Failure

Contact Form 7 < 3.7.2 - CAPTCHA Bypass

Feb 26, 2014 Patched in 3.7.2 (3618d)
Code Analysis
Analyzed Mar 16, 2026

Contact Form 7 Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
9 prepared
Unescaped Output
15
315 escaped
Nonce Checks
11
Capability Checks
31
File Operations
1
External Requests
13
Bundled Libraries
0

SQL Query Safety

100% prepared9 total queries

Output Escaping

95% escaped330 total outputs
Attack Surface

Contact Form 7 Attack Surface

Entry Points3
Unprotected0

AJAX Handlers 1

authwp_ajax_wpcf7-update-welcome-paneladmin\includes\welcome-panel.php:207

Shortcodes 2

[contact-form-7] load.php:136
[contact-form] load.php:137
WordPress Hooks 137
actionadmin_initadmin\admin.php:10
actionadmin_menuadmin\admin.php:19
actionadmin_enqueue_scriptsadmin\admin.php:107
filterset_screen_option_wpcf7_contact_forms_per_pageadmin\admin.php:211
actionwpcf7_admin_noticesadmin\admin.php:620
filterplugin_action_linksadmin\admin.php:674
actionwpcf7_admin_warningsadmin\admin.php:696
actionwpcf7_admin_warningsadmin\admin.php:716
actionwpcf7_admin_warningsadmin\admin.php:734
actionwpcf7_admin_warningsadmin\admin.php:748
actionwpcf7_admin_menuadmin\includes\config-validator.php:3
filterwpcf7_admin_menu_change_noticeadmin\includes\config-validator.php:23
actionwpcf7_admin_warningsadmin\includes\config-validator.php:28
actionwpcf7_admin_loadadmin\includes\config-validator.php:60
filterscreen_settingsadmin\includes\welcome-panel.php:240
actioninitincludes\block-editor\block-editor.php:3
filtermap_meta_capincludes\capabilities.php:3
actionwpcf7_update_optionincludes\config-validator\actions.php:3
actionparse_requestincludes\controller.php:7
actionwp_enqueue_scriptsincludes\controller.php:33
actionwp_enqueue_scriptsincludes\controller.php:163
filterwpcf7_messagesincludes\file.php:92
filterwpcf7_form_enctypeincludes\file.php:127
actionwpcf7_initincludes\file.php:257
actionshutdownincludes\file.php:351
actionwpcf7_admin_warningsincludes\file.php:404
filterwpcf7_mail_html_bodyincludes\mail.php:3
actionphpmailer_initincludes\mail.php:466
actionrest_api_initincludes\rest-api.php:3
filterwpcf7_special_mail_tagsincludes\special-mail-tags.php:7
filterwpcf7_special_mail_tagsincludes\special-mail-tags.php:89
filterwpcf7_special_mail_tagsincludes\special-mail-tags.php:155
filterwpcf7_special_mail_tagsincludes\special-mail-tags.php:224
actionwp_enqueue_scriptsincludes\swv\script-loader.php:3
actionwpcf7_initincludes\swv\swv.php:46
actionwpcf7_upgradeincludes\upgrade.php:3
actionwpcf7_upgradeincludes\upgrade.php:35
actionwpcf7_upgradeincludes\upgrade.php:114
actionplugins_loadedload.php:128
actioninitload.php:141
actionadmin_initload.php:154
actionwpcf7_initmodules\acceptance.php:8
filterwpcf7_validate_acceptancemodules\acceptance.php:113
filterwpcf7_acceptancemodules\acceptance.php:145
filterwpcf7_form_class_attrmodules\acceptance.php:185
filterwpcf7_mail_tag_replaced_acceptancemodules\acceptance.php:208
actionwpcf7_admin_initmodules\acceptance.php:252
actionwpcf7_initmodules\akismet\akismet.php:11
filterwpcf7_spammodules\akismet\akismet.php:29
filterwpcf7_posted_datamodules\akismet\akismet.php:241
filterwpcf7_default_templatemodules\akismet\akismet.php:277
actionwpcf7_initmodules\checkbox.php:8
actionwpcf7_swv_create_schemamodules\checkbox.php:192
actionwpcf7_swv_create_schemamodules\checkbox.php:228
filterwpcf7_posted_data_checkboxmodules\checkbox.php:308
filterwpcf7_posted_data_checkbox*modules\checkbox.php:313
filterwpcf7_posted_data_radiomodules\checkbox.php:318
actionwpcf7_admin_initmodules\checkbox.php:344
actionwpcf7_initmodules\constant-contact\constant-contact.php:8
actionwpcf7_initmodules\count.php:8
actionwpcf7_initmodules\date.php:9
actionwpcf7_swv_create_schemamodules\date.php:96
filterwpcf7_messagesmodules\date.php:152
actionwpcf7_admin_initmodules\date.php:176
filterwpcf7_spammodules\disallowed-list.php:3
actionwpcf7_doimodules\doi-helper.php:9
actionwpcf7_initmodules\file.php:8
actionwpcf7_swv_create_schemamodules\file.php:72
filterwpcf7_mail_tag_replaced_filemodules\file.php:114
filterwpcf7_mail_tag_replaced_file*modules\file.php:115
actionwpcf7_admin_initmodules\file.php:137
actionwpcf7_submitmodules\flamingo.php:7
actionwpcf7_after_updatemodules\flamingo.php:261
filterwpcf7_special_mail_tagsmodules\flamingo.php:295
actionwpcf7_initmodules\hidden.php:3
filterwpcf7_form_tag_data_optionmodules\listo.php:7
actionwpcf7_initmodules\number.php:10
actionwpcf7_swv_create_schemamodules\number.php:105
filterwpcf7_messagesmodules\number.php:171
actionwpcf7_admin_initmodules\number.php:195
actionwpcf7_initmodules\quiz.php:8
filterwpcf7_validate_quizmodules\quiz.php:96
filterwpcf7_refill_responsemodules\quiz.php:121
filterwpcf7_feedback_responsemodules\quiz.php:122
filterwpcf7_messagesmodules\quiz.php:173
actionwpcf7_admin_initmodules\quiz.php:191
actionwpcf7_initmodules\really-simple-captcha.php:8
filterwpcf7_validate_captcharmodules\really-simple-captcha.php:164
filterwpcf7_refill_responsemodules\really-simple-captcha.php:186
filterwpcf7_feedback_responsemodules\really-simple-captcha.php:187
filterwpcf7_messagesmodules\really-simple-captcha.php:228
actionwpcf7_admin_warningsmodules\really-simple-captcha.php:246
actionshutdownmodules\really-simple-captcha.php:487
actionwpcf7_initmodules\recaptcha\recaptcha.php:11
actionwp_enqueue_scriptsmodules\recaptcha\recaptcha.php:25
filterwpcf7_form_hidden_fieldsmodules\recaptcha\recaptcha.php:100
filterwpcf7_spammodules\recaptcha\recaptcha.php:122
actionwpcf7_initmodules\recaptcha\recaptcha.php:167
actionwpcf7_upgrademodules\recaptcha\recaptcha.php:186
actionwpcf7_admin_menumodules\recaptcha\recaptcha.php:208
filterwpcf7_admin_menu_change_noticemodules\recaptcha\recaptcha.php:218
actionwpcf7_admin_warningsmodules\recaptcha\recaptcha.php:224
actionwpcf7_initmodules\reflection.php:9
actionwpcf7_initmodules\response.php:8
actionwpcf7_initmodules\select.php:8
actionwpcf7_swv_create_schemamodules\select.php:130
actionwpcf7_swv_create_schemamodules\select.php:152
actionwpcf7_admin_initmodules\select.php:223
filterwpcf7_pre_construct_contact_form_propertiesmodules\sendinblue\contact-form-properties.php:3
actionwpcf7_save_contact_formmodules\sendinblue\contact-form-properties.php:25
filterwpcf7_editor_panelsmodules\sendinblue\contact-form-properties.php:61
actiondoihelper_initmodules\sendinblue\doi.php:9
actionwpcf7_initmodules\sendinblue\sendinblue.php:13
actionwpcf7_submitmodules\sendinblue\sendinblue.php:27
actionwpcf7_initmodules\stripe\stripe.php:12
actionwpcf7_enqueue_scriptsmodules\stripe\stripe.php:30
filterwpcf7_skip_spam_checkmodules\stripe\stripe.php:97
filterwpcf7_spammodules\stripe\stripe.php:152
actionwpcf7_before_send_mailmodules\stripe\stripe.php:193
filterwpcf7_special_mail_tagsmodules\stripe\stripe.php:271
filterwpcf7_flamingo_inbound_message_parametersmodules\stripe\stripe.php:295
actionwpcf7_initmodules\stripe\stripe.php:325
actionwpcf7_initmodules\submit.php:8
actionwpcf7_admin_initmodules\submit.php:42
actionwpcf7_initmodules\text.php:12
actionwpcf7_swv_create_schemamodules\text.php:100
filterwpcf7_messagesmodules\text.php:173
actionwpcf7_admin_initmodules\text.php:205
actionwpcf7_initmodules\textarea.php:8
actionwpcf7_swv_create_schemamodules\textarea.php:89
actionwpcf7_admin_initmodules\textarea.php:135
actionwpcf7_initmodules\turnstile\turnstile.php:9
actionwp_enqueue_scriptsmodules\turnstile\turnstile.php:23
actionwpcf7_initmodules\turnstile\turnstile.php:52
filterwpcf7_form_elementsmodules\turnstile\turnstile.php:116
filterwpcf7_spammodules\turnstile\turnstile.php:144
filterwpcf7_flamingo_inbound_message_parametersmodules\turnstile\turnstile.php:188
Maintenance & Trust

Contact Form 7 Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 8, 2026
PHP min version7.4
Downloads410.4M

Community Trust

Rating80/100
Number of ratings2,155
Active installs10.0M
Alternatives

Contact Form 7 Alternatives

Akismet Anti-spam: Spam Protection

Akismet Anti-spam: Spam Protection

akismet

A
99

The best anti-spam protection to block spam comments and spam in a contact form. The most trusted antispam solution for WordPress and WooCommerce.

6.0M 2 CVEs
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

A
90

The best WordPress contact form plugin. Drag & Drop form builder to create beautiful contact forms, payment forms, & other custom forms.

6.0M 13 CVEs
Database Addon for Contact Form 7 – CFDB7

Database Addon for Contact Form 7 – CFDB7

contact-form-cfdb7

A
90

Save and manage Contact Form 7 messages. Never lose important data. It is a lightweight contact form 7 database plugin.

600K 7 CVEs
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

fluentform

B
82

Get a fast contact form plugin. Create advanced forms using drag and drop form builder with all smart features.

600K 27 CVEs
Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Forminator Forms – Contact Form, Payment Form & Custom Form Builder

forminator

B
76

Best WordPress form builder plugin. Create contact forms, payment forms & order forms with 1000+ integrations.

600K 36 CVEs
Developer Profile

Contact Form 7 Developer Profile

Rock Lobster Inc.

6 plugins · 11.1M total installs

75
trust score
Avg Security Score
94/100
Avg Patch Time
1303 days
View full developer profile
Detection Fingerprints

How We Detect Contact Form 7

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/contact-form-7/admin/includes/css/styles.css/wp-content/plugins/contact-form-7/admin/includes/css/styles-rtl.css/wp-content/plugins/contact-form-7/admin/includes/js/index.js
Script Paths
/wp-content/plugins/contact-form-7/admin/includes/js/index.js
Version Parameters
contact-form-7/style.css?ver=contact-form-7-admin?ver=contact-form-7-admin-rtl?ver=wpcf7-admin?ver=

HTML / DOM Fingerprints

CSS Classes
wpcf7-formwpcf7-form-controlwpcf7-submitwpcf7-quizwpcf7-quiz-wrapwpcf7-response-output
HTML Comments
<!-- Contact Form 7 --><!-- BEGIN SHORTCODE Contact Form 7 --><!-- END SHORTCODE Contact Form 7 -->
Data Attributes
data-status
JS Globals
wpcf7
REST Endpoints
/wp-json/contact-form-7/v1
Shortcode Output
[contact-form-7]
FAQ

Frequently Asked Questions about Contact Form 7