CF7 Apps – Honeypot, Database, Redirection, Webhook, and Addons for Contact Form 7 Security & Risk Analysis

wordpress.org/plugins/contact-form-7-honeypot

Addons for Contact Form 7 — Honeypot, Database Entries, Redirection, Spam Protection, Webhooks, ACF integration for Contact Form 7, and more.

300K active installs v3.4.0 PHP 5.6+ WP 4.8+ Updated Jan 30, 2026

anti-spamcaptchacf7-databasehoneypotspam-protection

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is CF7 Apps – Honeypot, Database, Redirection, Webhook, and Addons for Contact Form 7 Safe to Use in 2026?

Generally Safe

Score 100/100

CF7 Apps – Honeypot, Database, Redirection, Webhook, and Addons for Contact Form 7 has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago

Risk Assessment

The 'contact-form-7-honeypot' plugin v3.4.0 exhibits a generally good security posture based on the provided static analysis and vulnerability history. The plugin demonstrates strong practices by using prepared statements for all SQL queries and properly escaping the vast majority of its output. The absence of critical or high severity taint flows and file operations further enhances its security. Furthermore, the plugin has no recorded vulnerabilities, indicating a history of stable and secure development.

However, a notable concern is the presence of three AJAX handlers that lack authentication checks. While the overall attack surface is moderate, these unprotected entry points represent potential vectors for unauthorized actions if they can be triggered without proper user verification. The plugin also bundles Freemius v1.0, which, while not explicitly flagged as outdated, is a common area for potential vulnerabilities in bundled libraries if not kept current.

In conclusion, the plugin is largely secure with robust code practices. The primary area for improvement is to implement appropriate authentication and authorization checks on the identified AJAX handlers to mitigate any potential risks associated with these unprotected entry points. The presence of a bundled library also warrants periodic review.

Key Concerns

AJAX handlers without auth checks
Bundled Freemius v1.0 (potential for outdatedness)

Vulnerabilities

None known

CF7 Apps – Honeypot, Database, Redirection, Webhook, and Addons for Contact Form 7 Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

CF7 Apps – Honeypot, Database, Redirection, Webhook, and Addons for Contact Form 7 Code Analysis

Dangerous Functions

Raw SQL Queries

22 prepared

Unescaped Output

216 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Freemius1.0

SQL Query Safety

100% prepared22 total queries

Output Escaping

95% escaped228 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

honeypot4cf7_general_tab_content (legacy-honeypot\includes\honeypot4cf7-admin.php:233)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

CF7 Apps – Honeypot, Database, Redirection, Webhook, and Addons for Contact Form 7 Attack Surface

Entry Points14

Unprotected3

AJAX Handlers 3

noprivwp_ajax_cf7apps_fetch_settingsincludes\apps\cf7-redirection\cf7-redirection.php:343

authwp_ajax_cf7apps_fetch_settingsincludes\apps\cf7-redirection\cf7-redirection.php:344

authwp_ajax_honeypot4cf7_dismiss_noticelegacy-honeypot\includes\honeypot4cf7-admin.php:74

REST API Routes 11

GET/wp-json/cf7apps/v1/get-menu-itemsincludes\rest-api\wp-admin\v1\rest-api.php:20

GET/wp-json/cf7apps/v1/get-apps(?:/(?P<id>[\w-]+))?includes\rest-api\wp-admin\v1\rest-api.php:26

POST/wp-json/cf7apps/v1/save-app-settingsincludes\rest-api\wp-admin\v1\rest-api.php:32

POST/wp-json/cf7apps/v1/get-app-settingsincludes\rest-api\wp-admin\v1\rest-api.php:38

GET/wp-json/cf7apps/v1/get-cf7-formsincludes\rest-api\wp-admin\v1\rest-api.php:44

GET/wp-json/cf7apps/v1/has-migratedincludes\rest-api\wp-admin\v1\rest-api.php:50

POST/wp-json/cf7apps/v1/migrateincludes\rest-api\wp-admin\v1\rest-api.php:56

GET/wp-json/cf7apps/v1/get-cf7-entriesincludes\rest-api\wp-admin\v1\rest-api.php:62

GET/wp-json/cf7apps/v1/delete-cf7-entriesincludes\rest-api\wp-admin\v1\rest-api.php:72

GET/wp-json/cf7apps/v1/get-all-cf7-formsincludes\rest-api\wp-admin\v1\rest-api.php:82

GET/wp-json/cf7apps/v1/spam-countincludes\rest-api\wp-admin\v1\rest-api.php:92

WordPress Hooks 50

actionacf/include_field_typesincludes\apps\acf-integration\acf-integration.php:41

actionacf/include_field_typesincludes\apps\acf-integration\acf-integration.php:42

actionplugins_loadedincludes\apps\acf-integration\acf-integration.php:47

actioninitincludes\apps\acf-integration\acf-integration.php:48

actionadmin_noticesincludes\apps\acf-integration\acf-integration.php:52

filtercf7apps_appsincludes\apps\acf-integration\acf-integration.php:218

actionwpcf7_initincludes\apps\acf-integration\includes\class-cf7-acf-integration.php:54

actionwpcf7_contact_formincludes\apps\acf-integration\includes\class-cf7-acf-integration.php:55

actionplugins_loadedincludes\apps\acf-integration\includes\class-cf7-acf-integration.php:58

actioninitincludes\apps\acf-integration\includes\class-cf7-acf-integration.php:61

actiontemplate_redirectincludes\apps\acf-integration\includes\class-cf7-acf-integration.php:62

actionwpcf7_admin_initincludes\apps\acf-integration\includes\class-cf7-acf-integration.php:65

actionadmin_initincludes\apps\acf-integration\includes\class-cf7-acf-integration.php:66

filterwpcf7_validate_acf_fieldincludes\apps\acf-integration\includes\class-cf7-acf-integration.php:69

filterwpcf7_contact_form_propertiesincludes\apps\acf-integration\includes\class-cf7-acf-integration.php:72

actionadmin_enqueue_scriptsincludes\apps\acf-integration\includes\class-cf7-acf-integration.php:75

actionadmin_footerincludes\apps\acf-integration\includes\class-cf7-acf-integration.php:78

actionadmin_initincludes\apps\cf7-entries\cf7-entries.php:40

actionwpcf7_mail_sentincludes\apps\cf7-entries\cf7-entries.php:41

actionadmin_menuincludes\apps\cf7-entries\cf7-entries.php:42

actionbefore_delete_postincludes\apps\cf7-entries\cf7-entries.php:44

filtercf7apps_appsincludes\apps\cf7-entries\cf7-entries.php:232

actionadmin_enqueue_scriptsincludes\apps\cf7-internal-settings\cf7-internal-settings.php:48

actionwp_enqueue_scriptsincludes\apps\cf7-redirection\cf7-redirection.php:345

filtercf7apps_appsincludes\apps\cf7-redirection\cf7-redirection.php:497

actionwp_footerincludes\apps\hcaptcha\hcaptcha.php:150

actionwpcf7_initincludes\apps\hcaptcha\hcaptcha.php:151

filterwpcf7_validateincludes\apps\hcaptcha\hcaptcha.php:152

actionwpcf7_admin_initincludes\apps\hcaptcha\hcaptcha.php:153

filtercf7apps_appsincludes\apps\hcaptcha\hcaptcha.php:528

filterregister_post_type_argsincludes\apps\honeypot\honeypot.php:26

filtercf7apps_appsincludes\apps\honeypot\honeypot.php:140

actionwpcf7_mail_sentincludes\apps\webhook\webhook.php:333

filtercf7apps_appsincludes\apps\webhook\webhook.php:663

actionadmin_noticesincludes\class-cf7apps.php:37

actionadmin_menuincludes\class-cf7apps.php:143

actionrest_api_initincludes\rest-api\wp-admin\v1\rest-api.php:11

actionadmin_initlegacy-honeypot\includes\honeypot4cf7-admin.php:16

actionadmin_noticeslegacy-honeypot\includes\honeypot4cf7-admin.php:25

actionadmin_noticeslegacy-honeypot\includes\honeypot4cf7-admin.php:30

actionadmin_menulegacy-honeypot\includes\honeypot4cf7-admin.php:175

actionhoneypot4cf7_tab_generallegacy-honeypot\includes\honeypot4cf7-admin.php:232

actionhoneypot4cf7_tab_all-formslegacy-honeypot\includes\honeypot4cf7-admin.php:420

actionadmin_enqueue_scriptslegacy-honeypot\includes\honeypot4cf7-admin.php:463

filterwpcf7_config_validator_available_error_codeslegacy-honeypot\includes\honeypot4cf7-admin.php:481

actionadmin_noticeslegacy-honeypot\includes\honeypot4cf7-admin.php:499

actionwpcf7_initlegacy-honeypot\includes\honeypot4cf7.php:16

filterwpcf7_spamlegacy-honeypot\includes\honeypot4cf7.php:126

filterwpcf7_spamlegacy-honeypot\includes\honeypot4cf7.php:129

actionwpcf7_admin_initlegacy-honeypot\includes\honeypot4cf7.php:251

Maintenance & Trust

CF7 Apps – Honeypot, Database, Redirection, Webhook, and Addons for Contact Form 7 Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 30, 2026

PHP min version5.6

Downloads5.6M

Community Trust

Rating76/100

Number of ratings131

Active installs300K

Alternatives

CF7 Apps – Honeypot, Database, Redirection, Webhook, and Addons for Contact Form 7 Alternatives

Gravity Forms Zero Spam

gravity-forms-zero-spam

100

Enhance your Gravity Forms to include anti-spam measures originally based on the work of David Walsh's "Zero Spam" technique.

100K No CVEs

SilentShield – Captcha & Anti-Spam for WordPress (CF7, WPForms, Elementor, WooCommerce)

captcha-for-contact-form-7

100

SilentShield – the invisible shield against spam. Spam is the weed of the internet. It clogs your forms, steals your time, and corrupts your data.

10K 1 CVE

Anti-spam, Spam protection, ReCaptcha for all forms and GDPR-compliant

gdpr-compliant-recaptcha-for-all-forms

Anti-spam - CAPTCHA that protects all forms against spam and brute-force. Invisible and GDPR-compliant.

4K 1 CVE

Send Denial

send-denial-anti-spam

Anti-Spam protection for the most popular and widly used formbuilders and plugins. GDPR compliant.

300 No CVEs

Mathematical Captcha Applier

mathematical-captcha-applier

100

Apply a simple mathematical captcha to specific buttons by providing their CSS class or ID to prevent spamming.

0 No CVEs

Developer Profile

CF7 Apps – Honeypot, Database, Redirection, Webhook, and Addons for Contact Form 7 Developer Profile

Saad Iqbal

84 plugins · 1.4M total installs

trust score

Avg Security Score

96/100

Avg Patch Time

287 days

View full developer profile

Detection Fingerprints

How We Detect CF7 Apps – Honeypot, Database, Redirection, Webhook, and Addons for Contact Form 7

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/contact-form-7-honeypot/assets/css/cf7apps-admin.css/wp-content/plugins/contact-form-7-honeypot/assets/js/cf7apps-admin.js

Generator Patterns

CF7 Apps

Script Paths

/wp-content/plugins/contact-form-7-honeypot/assets/js/cf7apps-admin.js

Version Parameters

contact-form-7-honeypot/assets/css/cf7apps-admin.css?ver=contact-form-7-honeypot/assets/js/cf7apps-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

cf7apps-admin-wrap

HTML Comments

+4 more

Data Attributes

data-cf7apps-hookdata-cf7apps-ajax-url

JS Globals

cf7apps

FAQ