Database Addon for Contact Form 7 – CFDB7 Security & Risk Analysis

The "contact-form-cfdb7" plugin version 1.3.5 presents a mixed security posture. While the static analysis indicates a seemingly small attack surface with no apparent AJAX handlers, REST API routes, shortcodes, or cron events exposed without authentication or permission checks, there are significant underlying concerns. The presence of the `unserialize` function, a known source of vulnerabilities, combined with a substantial number of SQL queries where only 27% utilize prepared statements, raises red flags regarding potential injection attacks. Furthermore, the output escaping is only properly implemented in 65% of cases, indicating a risk of Cross-Site Scripting (XSS) vulnerabilities.

The plugin's vulnerability history is particularly concerning, with a total of 7 known CVEs, including 3 high-severity vulnerabilities. The types of past vulnerabilities—XSS, information exposure, CSV injection, CSRF, general injection, and SQL injection—paint a picture of an application that has historically struggled with input validation and output sanitization. While there are currently no unpatched CVEs, the recurring nature and severity of past issues suggest a propensity for exploitable flaws. The last vulnerability recorded in July 2025 indicates ongoing development or discovery of issues, though its recency might be an artifact of data reporting.

In conclusion, despite a minimal exposed attack surface in this specific version, the plugin's history of critical and high-severity vulnerabilities, coupled with the static analysis findings of dangerous functions like `unserialize` and inadequate prepared statement usage for SQL queries, points to a considerable risk. The less-than-ideal output escaping further exacerbates this risk. Users should exercise extreme caution and consider alternatives if possible.