WP-Safety

Database for Contact Form 7, WPforms, Elementor forms Security & Risk Analysis

wordpress.org/plugins/contact-form-entries

Saves Contact Form 7, WPforms,Elementor Forms, CRM Perks Forms and many other contact form submissions to database.

70K active installs v1.4.8 PHP 5.3+ WP 3.8+ Updated Mar 4, 2026
contact-form-7contact-form-7-databasecontact-form-entrieselementor-forms-databasewpforms-database
76
B · Generally Safe
CVEs total13
Unpatched0
Last CVEMar 4, 2026
Plugin page Download
Safety Verdict

Is Database for Contact Form 7, WPforms, Elementor forms Safe to Use in 2026?

Mostly Safe

Score 76/100

Database for Contact Form 7, WPforms, Elementor forms is generally safe to use. 13 past CVEs were resolved. Keep it updated.

13 known CVEsLast CVE: Mar 4, 2026Updated 29d ago
Risk Assessment

The "contact-form-entries" plugin v1.4.8 exhibits a mixed security posture. While it demonstrates good practices like a high percentage of prepared SQL statements and properly escaped output, significant concerns arise from its attack surface and past vulnerability history. The presence of an unprotected AJAX handler is a critical entry point that could be exploited without proper authorization, directly indicated by the taint analysis showing high-severity flows with unsanitized paths. Furthermore, the plugin's history of 13 known CVEs, including critical vulnerabilities related to missing authorization and deserialization of untrusted data, suggests a recurring pattern of security weaknesses.

The core risks are amplified by the use of the dangerous `unserialize` function, which, coupled with unsanitized input from the unprotected AJAX handler, creates a high risk of deserialization vulnerabilities. The large number of historical vulnerabilities, even though none are currently unpatched, points to a need for more robust security development and auditing processes within the plugin. While the plugin has strengths in data handling, the identified immediate code risks and the extensive vulnerability history warrant significant caution.

Key Concerns

  • Unprotected AJAX handler
  • High severity taint flows
  • Use of unserialize function
  • Multiple historical critical/high CVEs
  • Unsanitized paths in taint analysis
Vulnerabilities
13

Database for Contact Form 7, WPforms, Elementor forms Security Vulnerabilities

CVEs by Year

4 CVEs in 2021
2021
1 CVE in 2022
2022
2 CVEs in 2023
2023
3 CVEs in 2024
2024
1 CVE in 2025
2025
2 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
2
High
5
Medium
6

13 total CVEs

CVE-2026-2599critical · 9.8Deserialization of Untrusted Data

Database for Contact Form 7, WPforms, Elementor forms <= 1.4.7 - Unauthenticated PHP Object Injection via 'download_csv'

Mar 4, 2026 Patched in 1.4.8 (2d)
CVE-2026-0825medium · 5.3Missing Authorization

Database for Contact Form 7, WPforms, Elementor forms <= 1.4.5 - Missing Authorization to Unauthenticated Form Data Exfiltration via CSV Export

Jan 27, 2026 Patched in 1.4.6 (1d)
CVE-2025-7384critical · 9.8Deserialization of Untrusted Data

Database for Contact Form 7, WPforms, Elementor forms <= 1.4.3 - Unauthenticated PHP Object Injection to Arbitrary File Deletion

Aug 12, 2025 Patched in 1.4.4 (1d)
CVE-2024-3715high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Database for Contact Form 7, WPforms, Elementor forms <= 1.3.8 - Unauthenticated Stored Cross-Site Scripting

Apr 22, 2024 Patched in 1.3.9 (40d)
CVE-2024-2030medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Database for Contact Form 7, WPforms, Elementor forms <= 1.3.3 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

Mar 6, 2024 Patched in 1.3.4 (87d)
CVE-2024-1069high · 7.2Unrestricted Upload of File with Dangerous Type

Contact Form Entries <= 1.3.2 - Authenticated (Administrator+) Arbitrary File Upload

Jan 30, 2024 Patched in 1.3.3 (1d)
CVE-2023-31212high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Contact Form Entries <= 1.3.0 - Authenticated (Contributor+) SQL Injection via shortcode

May 22, 2023 Patched in 1.3.1 (246d)
CVE-2023-33311medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form Entries <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via vx-entries shortcode

May 22, 2023 Patched in 1.3.1 (246d)
CVE-2022-3604high · 7.2Improper Neutralization of Formula Elements in a CSV File

Contact Form Entries <= 1.2.9 - CSV Injection

Oct 21, 2022 Patched in 1.3.0 (459d)
CVE-2021-25079medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form Entries <= 1.2.3 - Reflected Cross-Site Scripting

Nov 14, 2021 Patched in 1.2.4 (800d)
WF-cc1e9778-2860-4e3c-a2e4-28f10d585fed-contact-form-entriesmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CRM Perks - Various Plugins (Various Versions) - Reflected Cross-Site Scripting

Aug 26, 2021 Patched in 1.2.2 (880d)
WF-83d46dce-b218-49ed-85ee-0e8d2a391eb9-contact-form-entriesmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form Entries – Contact Form 7, WPforms and more <= 1.2.0 - Reflected Cross-Site Scripting

Aug 24, 2021 Patched in 1.2.1 (882d)
CVE-2021-25080high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form Entries <= 1.1.6 - Unauthenticated Stored Cross-Site Scripting

Jan 5, 2021 Patched in 1.1.7 (1113d)
Code Analysis
Analyzed Mar 16, 2026

Database for Contact Form 7, WPforms, Elementor forms Code Analysis

Dangerous Functions
2
Raw SQL Queries
7
37 prepared
Unescaped Output
43
468 escaped
Nonce Checks
7
Capability Checks
14
File Operations
7
External Requests
1
Bundled Libraries
1

Dangerous Functions Found

unserialize$val=unserialize($val, array('allowed_classes' => false));contact-form-entries.php:1202
unserialize$db_files=unserialize($db_files, array('allowed_classes' => false));includes\plugin-pages.php:1185

Bundled Libraries

Select2

SQL Query Safety

84% prepared44 total queries

Output Escaping

92% escaped511 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

5 flows2 with unsanitized paths
setup_plugin (includes\plugin-pages.php:547)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Database for Contact Form 7, WPforms, Elementor forms Attack Surface

Entry Points2
Unprotected1

AJAX Handlers 1

authwp_ajax_vxcf_form_review_dismisswp\crmperks-notices.php:15

Shortcodes 1

[vx-entries] contact-form-entries.php:129
WordPress Hooks 47
actionplugins_loadedcontact-form-entries.php:58
actioninitcontact-form-entries.php:63
filtercrmperks_forms_field_validation_messagecontact-form-entries.php:64
actionwp_footercontact-form-entries.php:70
actionrest_api_initcontact-form-entries.php:101
filterwpcf7_before_send_mailcontact-form-entries.php:102
actiongform_entry_createdcontact-form-entries.php:104
actionfrm_after_create_entrycontact-form-entries.php:106
actionninja_forms_after_submissioncontact-form-entries.php:108
actioniphorm_post_processcontact-form-entries.php:109
actioncaldera_forms_submit_post_process_endcontact-form-entries.php:110
actioncforms2_after_processing_actioncontact-form-entries.php:111
actioncntctfrm_get_mail_datacontact-form-entries.php:112
actionufbl_email_sendcontact-form-entries.php:113
actiongrunion_pre_message_sentcontact-form-entries.php:114
filtercrmperks_forms_new_submissioncontact-form-entries.php:115
actionwpforms_process_entry_savecontact-form-entries.php:117
actionelementor_pro/forms/new_recordcontact-form-entries.php:121
actionforminator_custom_form_submit_before_set_fieldscontact-form-entries.php:122
actionvx_cf_add_meta_boxincludes\crmperks-cf.php:10
filterupdate_user_metadataincludes\plugin-pages.php:34
filterset-screen-optionincludes\plugin-pages.php:35
actionadmin_noticesincludes\plugin-pages.php:37
filterplugin_action_linksincludes\plugin-pages.php:38
actionvx_cf_meta_boxes_rightincludes\plugin-pages.php:40
actionvx_cf_add_meta_box_rightincludes\plugin-pages.php:41
filteradmin_initincludes\plugin-pages.php:43
filteradmin_menuincludes\plugin-pages.php:44
filtervx_entries_plugin_tabsincludes\plugin-pages.php:45
filtervx_entries_plugin_tab_sectionsincludes\plugin-pages.php:46
filtercrmperks_forms_table_fieldsincludes\plugin-pages.php:48
filtercrmperks_forms_table_dataincludes\plugin-pages.php:49
filtercrmperks_forms_fields_classesincludes\plugin-pages.php:51
actioncrmperks_forms_field_htmlincludes\plugin-pages.php:52
actioncrmperks_forms_step3_htmlincludes\plugin-pages.php:53
actioncrmperks_entries_stats_endincludes\plugin-pages.php:55
actionwp_dashboard_setupincludes\plugin-pages.php:56
filtercrmperks_forms_row_actionsincludes\plugin-pages.php:58
filterwp_privacy_personal_data_exportersincludes\plugin-pages.php:59
filterwp_privacy_personal_data_erasersincludes\plugin-pages.php:60
actionload-toplevel_page_vxcf_leadsincludes\plugin-pages.php:532
filtervx_entries_plugin_tabswp\crmperks-notices.php:12
filterplugin_row_metawp\crmperks-notices.php:13
actionadd_section_vxcf_leadswp\crmperks-notices.php:16
filteradmin_footer_textwp\crmperks-notices.php:19
actionadmin_noticeswp\crmperks-notices.php:21
filterplugins_apiwp\crmperks-notices.php:23
Maintenance & Trust

Database for Contact Form 7, WPforms, Elementor forms Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 4, 2026
PHP min version5.3
Downloads989K

Community Trust

Rating96/100
Number of ratings122
Active installs70K
Alternatives

Database for Contact Form 7, WPforms, Elementor forms Alternatives

EP Exporter for Contact Form 7 (CF7)

EP Exporter for Contact Form 7 (CF7)

ep-exporter-for-cf7

A
100

Smart and lightweight Contact Form 7 data exporter. Export your CF7 or CFDB7 submissions to CSV with advanced filtering options.

200 No CVEs
Contact Form 7 Database Manager Addon – CF7DBM

Contact Form 7 Database Manager Addon – CF7DBM

form-data-manager

A
92

Save contact form 7 submissions to the WP database with this CF7 addon. Never lose important messages, leads, and requests again.

200 No CVEs
Bridhy – No-code Drag & Drop Form Builder for Contact Form 7

Bridhy – No-code Drag & Drop Form Builder for Contact Form 7

bridhy-addons-for-contact-form-7

A
92

Build & style Contact Form 7 forms visually without writing any code. Bridhy also comes with essential addons to make your forms super powerful.

100 No CVEs
PeproDev CF7 Database

PeproDev CF7 Database

pepro-cf7-database

C
67

Reliable Solution to Save CF7 Submissions and Files, Works with CF7 v.5.9+

100 1 unpatched
WP Contact Form 7 DB Handler

WP Contact Form 7 DB Handler

wp-contact-form-7-db-handler

A
100

Store all your contact form 7 submission and easily access it. you can also filter and export it!

100 No CVEs
Developer Profile

Database for Contact Form 7, WPforms, Elementor forms Developer Profile

CRM Perks

32 plugins · 105K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
349 days
View full developer profile
Detection Fingerprints

How We Detect Database for Contact Form 7, WPforms, Elementor forms

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/contact-form-entries/css/style.css/wp-content/plugins/contact-form-entries/css/animate.css/wp-content/plugins/contact-form-entries/css/font-awesome.css/wp-content/plugins/contact-form-entries/css/jquery.dataTables.css/wp-content/plugins/contact-form-entries/css/responsive.dataTables.css/wp-content/plugins/contact-form-entries/css/buttons.dataTables.css/wp-content/plugins/contact-form-entries/css/select.dataTables.css/wp-content/plugins/contact-form-entries/css/dataTables.checkboxes.css+14 more
Script Paths
/wp-content/plugins/contact-form-entries/js/jquery.tablesorter.js/wp-content/plugins/contact-form-entries/js/jquery.tablesorter.pager.js/wp-content/plugins/contact-form-entries/js/jquery.tablesorter.widgets.js
Version Parameters
contact-form-entries/css/style.css?ver=contact-form-entries/css/animate.css?ver=contact-form-entries/css/font-awesome.css?ver=contact-form-entries/css/jquery.dataTables.css?ver=contact-form-entries/css/responsive.dataTables.css?ver=contact-form-entries/css/buttons.dataTables.css?ver=contact-form-entries/css/select.dataTables.css?ver=contact-form-entries/css/dataTables.checkboxes.css?ver=contact-form-entries/js/jquery.dataTables.min.js?ver=contact-form-entries/js/dataTables.responsive.min.js?ver=contact-form-entries/js/dataTables.buttons.js?ver=contact-form-entries/js/buttons.html5.js?ver=contact-form-entries/js/buttons.print.js?ver=contact-form-entries/js/dataTables.select.js?ver=contact-form-entries/js/dataTables.checkboxes.js?ver=contact-form-entries/js/vxcf-form.js?ver=contact-form-entries/js/vxcf-admin.js?ver=contact-form-entries/js/vx-fields.js?ver=contact-form-entries/js/vx-form-editor.js?ver=contact-form-entries/js/vx-leads.js?ver=contact-form-entries/js/vx-frontend.js?ver=contact-form-entries/js/vx-frontend-form.js?ver=

HTML / DOM Fingerprints

CSS Classes
vxcf-formvxcf_form_wrappervxcf-leads-wrapper
HTML Comments
<!-- vxcf_form_data --><!-- vxcf_form_editor --><!-- vx-entries -->
Data Attributes
data-vx-form-iddata-vxcf-iddata-vx-ajax
JS Globals
vxcf_formvxcf_form_paramsvxcf_form_editorvx_admin_settingsvxcf_table_optionsvxcf_datatable_options+1 more
REST Endpoints
/wp-json/vxcf/v1/forms/wp-json/vxcf/v1/leads
Shortcode Output
[vx-entries]
FAQ

Frequently Asked Questions about Database for Contact Form 7, WPforms, Elementor forms