Does Contact Form Generator : Creative form builder for WordPress have any unpatched vulnerabilities?

No. All known vulnerabilities in Contact Form Generator : Creative form builder for WordPress have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Contact Form Generator : Creative form builder for WordPress compatible with WordPress 6.8.5?

According to WordPress.org data, Contact Form Generator : Creative form builder for WordPress 2.9.1 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Contact Form Generator : Creative form builder for WordPress Security & Risk Analysis

wordpress.org/plugins/contact-form-generator

Contact Form Generator is a creative and powerful contact form builder! You will get ready-to-use forms in 5 minutes!

900 active installs v2.9.1 PHP + WP 3.6.1+ Updated Jan 12, 2026

contact-formcontact-form-plugincontact-formsformform-builder

A · Safe

CVEs total3

Unpatched0

Last CVEOct 9, 2023

Plugin page Download

Safety Verdict

Is Contact Form Generator : Creative form builder for WordPress Safe to Use in 2026?

Generally Safe

Score 98/100

Contact Form Generator : Creative form builder for WordPress has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Oct 9, 2023Updated 2mo ago

Risk Assessment

The "contact-form-generator" v2.9.1 plugin exhibits a mixed security posture. On the positive side, it demonstrates strong adherence to secure coding practices by heavily utilizing prepared statements for its SQL queries (99%) and performing nonce checks. The absence of file operations and external HTTP requests is also a positive sign. However, concerns arise from the significant number of flows with unsanitized paths (8 out of 11 analyzed) and a notable proportion of improperly escaped output (41%). The presence of four high-severity taint flows directly indicates a potential for vulnerabilities where user input is not adequately sanitized before being processed, which could lead to serious security compromises. Furthermore, the plugin has a history of known vulnerabilities, including SQL Injection, Cross-site Scripting, and CSRF. Although there are currently no unpatched CVEs, this historical pattern suggests a recurring tendency to introduce such flaws. The lack of capability checks on entry points, combined with the high-severity taint flows, presents a significant risk.

Key Concerns

High severity taint flows
Significant unsanitized paths in taint flows
Low output escaping percentage
History of SQL Injection vulnerabilities
History of Cross-site Scripting vulnerabilities
History of CSRF vulnerabilities
No capability checks on entry points

Vulnerabilities

Contact Form Generator : Creative form builder for WordPress Security Vulnerabilities

CVEs by Year

1 CVE in 2015

2015

2 CVEs in 2023

2023

Patched Has unpatched

Severity Breakdown

High

Medium

3 total CVEs

CVE-2023-35911high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Contact Form Generator <= 2.7.1 - Authenticated (Contributor+) SQL Injection

Oct 9, 2023 Patched in 2.9.0 (626d)

CVE-2023-37988medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form Generator <= 2.5.5 - Reflected Cross-Site Scripting

Jul 17, 2023 Patched in 2.6.0 (190d)

CVE-2015-6965medium · 6.3Cross-Site Request Forgery (CSRF)

Contact Form Generator : Creative form builder for WordPress <= 2.1.86 - Cross-Site Request Forgery

Sep 4, 2015 Patched in 2.5.0 (3063d)

Code Analysis

Analyzed Mar 16, 2026

Contact Form Generator : Creative form builder for WordPress Code Analysis

Dangerous Functions

Raw SQL Queries

125 prepared

Unescaped Output

929

1353 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select2

SQL Query Safety

99% prepared126 total queries

Output Escaping

59% escaped2282 total outputs

Data Flows

8 unsanitized

Data Flow Analysis

11 flows8 with unsanitized paths

<field> (includes\admin\field.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Contact Form Generator : Creative form builder for WordPress Attack Surface

Entry Points3

Unprotected0

AJAX Handlers 2

authwp_ajax_cfgen_send_emailcontactformgenerator.php:66

noprivwp_ajax_cfgen_send_emailcontactformgenerator.php:67

Shortcodes 1

[contactformgenerator] includes\display-functions.php:136

WordPress Hooks 3

actionadmin_menuincludes\admin-page.php:102

actionadmin_initincludes\admin-page.php:103

actionwidgets_initincludes\contactformgenerator_widget.php:92

Maintenance & Trust

Contact Form Generator : Creative form builder for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedJan 12, 2026

PHP min version

Downloads108K

Community Trust

Rating88/100

Number of ratings66

Active installs900

Alternatives

Contact Form Generator : Creative form builder for WordPress Alternatives

Contact Form by Supsystic

contact-form-by-supsystic

Contact Form Builder with drag-and-drop editor to create responsive, mobile ready contact forms in a second. Custom fields and contact form templates

7K 1 unpatched

NM Contact Forms

nm-contact-forms

Contact form plugin. NM contact forms allow you simple contact form integration with two built-in anti-spam solutions. Supports get variable.

200 No CVEs

DigitSix Simple Contact Form

digitsix-simple-contact-form

DigitSix Simple Contact Form is a simple solution for those who need simple contact forms for their website.

30 No CVEs

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

The best WordPress contact form plugin. Drag & Drop form builder to create beautiful contact forms, payment forms, & other custom forms.

6.0M 13 CVEs

NEX-Forms – Ultimate Forms Plugin for WordPress

nex-forms-express-wp-form-builder

Build beautiful responsive forms for WordPress. Contact forms, surveys, quizzes, booking forms, payments, popups & more with NEX-Forms...

7K 30 CVEs

Developer Profile

Contact Form Generator : Creative form builder for WordPress Developer Profile

Creative-Solutions

4 plugins · 4K total installs

trust score

Avg Security Score

86/100

Avg Patch Time

1211 days

View full developer profile

Detection Fingerprints

How We Detect Contact Form Generator : Creative form builder for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/contact-form-generator/includes/admin/cfg_ajax.php/wp-content/plugins/contact-form-generator/includes/generate.css.php/wp-content/plugins/contact-form-generator/includes/generate.js.php/wp-content/plugins/contact-form-generator/includes/display-functions.php/wp-content/plugins/contact-form-generator/includes/contactformgenerator_widget.php/wp-content/plugins/contact-form-generator/includes/admin-page.php/wp-content/plugins/contact-form-generator/includes/install/install.sql.php/wp-content/plugins/contact-form-generator/includes/install/uninstall.sql.php+1 more

Script Paths

/wp-content/plugins/contact-form-generator/includes/generate.js.php

Version Parameters

contact-form-generator/style.css?ver=contact-form-generator/js/frontend.js?ver=contact-form-generator/js/admin.js?ver=contact-form-generator/css/frontend.css?ver=

HTML / DOM Fingerprints

CSS Classes

sexycontactform_input_elementsexy_error_inputcolorpickercolorpicker_hexinactive_state

HTML Comments

Data Attributes

data-formiddata-fieldiddata-templateiddata-elementid

JS Globals

contactformgenerator_shake_count_arraycontactformgenerator_shake_distanse_arraycontactformgenerator_shake_duration_arraycontactformgenerator_pathcontactformgenerator_redirect_enable_arraycontactformgenerator_redirect_array+4 more

Shortcode Output

[contact-form-generator

FAQ