WP-Safety

Contact Form Plugin Security & Risk Analysis

wordpress.org/plugins/contact-form-lite

Form Plugin - Create responsive form using best contact form builder just in minutes. Yeah, it's really that easy.

2K active installs v1.1.31 PHP + WP 3.3+ Updated Jan 17, 2026
contact-formformform-builderform-pluginwordpress-form
96
A · Safe
CVEs total4
Unpatched0
Last CVEJun 9, 2025
Plugin page Download
Safety Verdict

Is Contact Form Plugin Safe to Use in 2026?

Generally Safe

Score 96/100

Contact Form Plugin has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Jun 9, 2025Updated 2mo ago
Risk Assessment

The "contact-form-lite" plugin v1.1.31 exhibits a mixed security posture. On the positive side, the plugin demonstrates strong adherence to secure coding practices by utilizing prepared statements for all SQL queries and performing a high percentage of output escaping. It also incorporates nonce and capability checks in its code. However, the presence of two AJAX handlers without authentication checks represents a significant concern, creating potential entry points for attackers. The plugin also makes external HTTP requests, which could be a vector if not handled carefully.

The vulnerability history reveals a pattern of medium-severity Cross-Site Scripting (XSS) vulnerabilities, with four known CVEs. Although none are currently unpatched, this history suggests a recurring weakness in how user input is handled or neutralized during output generation. The lack of critical or high-severity taint analysis findings is a positive indicator, but the past XSS issues warrant attention. The plugin bundles TinyMCE and Select2, which are generally well-maintained, but their versions were not specified, leaving a minor unknown.

In conclusion, while the plugin has strengths in its SQL handling and output escaping, the unprotected AJAX endpoints and the historical trend of XSS vulnerabilities are notable weaknesses. A proactive approach to secure coding, especially regarding input validation and sanitization for AJAX endpoints, and ongoing monitoring for new vulnerabilities are recommended.

Key Concerns

  • Unprotected AJAX handlers
  • Medium severity XSS vulnerability history (4 CVEs)
  • External HTTP requests
Vulnerabilities
4

Contact Form Plugin Security Vulnerabilities

CVEs by Year

1 CVE in 2017
2017
1 CVE in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
4

4 total CVEs

CVE-2025-5730medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Easy Contact Form Lite <= 1.1.28 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 9, 2025 Patched in 1.1.29 (31d)
CVE-2025-26962medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form Plugin <= 1.1.25 - Authenticated (Contributor+) Stored Cross-Site Scripting

Feb 23, 2025 Patched in 1.1.27 (9d)
CVE-2024-32147medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Easy Contact Form Lite <= 1.1.23 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 12, 2024 Patched in 1.1.25 (6d)
CVE-2017-20055medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form Plugin <= 4.0.1 - Stored Cross-Site Scripting

Mar 1, 2017 Patched in 4.0.2 (2519d)
Code Analysis
Analyzed Mar 16, 2026

Contact Form Plugin Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
10
437 escaped
Nonce Checks
4
Capability Checks
7
File Operations
0
External Requests
7
Bundled Libraries
2

Bundled Libraries

TinyMCESelect2

Output Escaping

98% escaped447 total outputs
Attack Surface
2 unprotected

Contact Form Plugin Attack Surface

Entry Points6
Unprotected2

AJAX Handlers 5

authwp_ajax_ecf_grab_form_list_ajaxinc\functions\ecf-functions.php:92
authwp_ajax_ecf_duplicate_forminc\functions\ecf-functions.php:687
authwp_ajax_ecf_hide_notifyinc\functions\ecf-functions.php:775
authwp_ajax_ecf_deliver_mailinc\functions\ecf-mail.php:89
noprivwp_ajax_ecf_deliver_mailinc\functions\ecf-mail.php:90

Shortcodes 1

[easy-contactform] inc\ecf-shortcode.php:74
WordPress Hooks 44
actionplugins_loadedeasy-contact-form.php:83
filterwidget_texteasy-contact-form.php:84
filterthe_excerpteasy-contact-form.php:85
filterthe_excerpteasy-contact-form.php:86
actionadmin_initeasy-contact-form.php:87
actioniniteasy-contact-form.php:88
filtermanage_edit-easycontactform_columnseasy-contact-form.php:89
filtermanage_posts_custom_columneasy-contact-form.php:90
actionadmin_headeasy-contact-form.php:91
actionadmin_menueasy-contact-form.php:92
actionadmin_footer-post.phpeasy-contact-form.php:95
actionadmin_noticeseasy-contact-form.php:153
filterpost_row_actionseasy-contact-form.php:275
actioniniteasy-contact-form.php:279
actioninitinc\ecf-block\init.php:25
actionwp_enqueue_scriptsinc\ecf-frontend.php:36
actiondo_meta_boxesinc\ecf-metaboxes.php:18
actionadmin_headinc\ecf-metaboxes.php:19
actionadmin_enqueue_scriptsinc\ecf-metaboxes.php:20
actionadmin_footerinc\ecf-metaboxes.php:59
actionadd_meta_boxesinc\ecf-metaboxes.php:656
actionsave_postinc\ecf-metaboxes.php:1269
actionadmin_initinc\ecf-notice.php:24
actionadmin_headinc\ecf-tinymce.php:6
actionmedia_buttonsinc\ecf-tinymce.php:30
actionadmin_footerinc\ecf-tinymce.php:42
actionwidgets_initinc\ecf-widget.php:89
actionadmin_initinc\functions\ecf-functions.php:38
actionwp_enqueue_scriptsinc\functions\ecf-functions.php:55
filtergettextinc\functions\ecf-functions.php:354
actionadmin_print_footer_scriptsinc\functions\ecf-functions.php:367
actionadmin_print_footer_scriptsinc\functions\ecf-functions.php:445
actionadmin_headinc\functions\ecf-functions.php:709
actionadmin_bar_menuinc\functions\ecf-functions.php:718
actionenqueue_block_editor_assetsinc\functions\ecf-functions.php:764
actionadmin_enqueue_scriptsinc\pages\ecf-analytics.php:18
actionadmin_enqueue_scriptsinc\pages\ecf-pricing.php:14
actionadmin_menuinc\pages\ecf-welcome.php:36
actionadmin_headinc\pages\ecf-welcome.php:37
actionadmin_initinc\pages\ecf-welcome.php:38
filtermce_external_pluginsinc\tinymce_plugin\register_mce_button.php:8
actioncurrent_screeninc\tinymce_plugin\register_mce_button.php:9
filtermce_buttonsinc\tinymce_plugin\register_mce_button.php:20
actionenqueue_block_editor_assetsinc\tinymce_plugin\register_mce_button.php:21
Maintenance & Trust

Contact Form Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJan 17, 2026
PHP min version
Downloads980K

Community Trust

Rating56/100
Number of ratings17
Active installs2K
Alternatives

Contact Form Plugin Alternatives

Online Forms — Customizable Payment, Contact, Quiz, Survey Form Builder – Jotform

Online Forms — Customizable Payment, Contact, Quiz, Survey Form Builder – Jotform

embed-form

A
99

Create and embed secure online forms in WordPress using Jotform’s drag-and-drop builder, with PCI and HIPAA compliance and full data-security support.

20K 1 CVE
Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder

Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder

gutena-forms

A
99

WordPress form builder to create lightweight contact forms, survey forms, feedback forms, booking forms, etc., right inside the Gutenberg editor.

20K 1 CVE
Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms

Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms

happyforms

A
97

Best WordPress contact form, newsletter form and payment form builder without the sucky stuff — lost emails, pesky spam, leaky privacy and outsourced &hellip;

20K 5 CVEs
Gutenverse Form – Contact Form Builder, Booking, Reservation, Subscribe for Block Editor

Gutenverse Form – Contact Form Builder, Booking, Reservation, Subscribe for Block Editor

gutenverse-form

A
96

The best WordPress contact form builder plugin. Create advanced contact forms, booking forms, conditional, payment, multi-step forms, & more.

10K 3 CVEs
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

A
90

The best WordPress contact form plugin. Drag & Drop form builder to create beautiful contact forms, payment forms, & other custom forms.

6.0M 13 CVEs
Developer Profile

Contact Form Plugin Developer Profile

GhozyLab

10 plugins · 21K total installs

74
trust score
Avg Security Score
93/100
Avg Patch Time
872 days
View full developer profile
Detection Fingerprints

How We Detect Contact Form Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/contact-form-lite/assets/css/ecf-frontend.css/wp-content/plugins/contact-form-lite/assets/css/ecf-frontend-responsive.css/wp-content/plugins/contact-form-lite/assets/js/ecf-frontend.js/wp-content/plugins/contact-form-lite/assets/js/ecf-jquery.js
Script Paths
/wp-content/plugins/contact-form-lite/assets/js/ecf-frontend.js/wp-content/plugins/contact-form-lite/assets/js/ecf-jquery.js
Version Parameters
contact-form-lite/assets/css/ecf-frontend.css?ver=contact-form-lite/assets/css/ecf-frontend-responsive.css?ver=contact-form-lite/assets/js/ecf-frontend.js?ver=contact-form-lite/assets/js/ecf-jquery.js?ver=

HTML / DOM Fingerprints

CSS Classes
ecf-form-titleecf-contact-formecf-form-submit-buttonecf-form-field-labelecf-form-field-inputecf-form-wrapper
HTML Comments
<!-- Easy Contact Form Lite Settings --><!-- Shortcode for Easy Contact Form Lite -->
Data Attributes
data-ecf-form-id
JS Globals
ecf_frontend_params
REST Endpoints
/wp-json/contact-form-lite/v1/submit
Shortcode Output
[easy-contact-form[contact_form_lite
FAQ

Frequently Asked Questions about Contact Form Plugin