Contact Form by BestWebSoft – Advanced WP Contact Form Builder for WordPress Security & Risk Analysis

wordpress.org/plugins/contact-form-plugin

The most powerful and user-friendly WordPress contact form plugin. Create beautiful contact forms, widgets and pages using shortcodes.

30K active installs v4.3.6 PHP + WP 6.5+ Updated Dec 25, 2025

contact-buttoncontact-pagecontact-widgetshortcode-contact-formwp-contact-form

C · Use Caution

CVEs total10

Unpatched1

Last CVEDec 7, 2025

Plugin page Download

Safety Verdict

Is Contact Form by BestWebSoft – Advanced WP Contact Form Builder for WordPress Safe to Use in 2026?

Use With Caution

Score 67/100

Contact Form by BestWebSoft – Advanced WP Contact Form Builder for WordPress has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

10 known CVEs 1 unpatched Last CVE: Dec 7, 2025Updated 3mo ago

Risk Assessment

The "contact-form-plugin" v4.3.6 presents a mixed security posture. On one hand, the static analysis indicates strong adherence to secure coding practices, with a very high percentage of properly escaped output and a significant number of nonce and capability checks, suggesting developers have implemented robust input validation and access control for many functions. The absence of critical or high-severity taint flows and dangerous functions further bolsters this positive assessment, indicating that at least in the analyzed code, sensitive data handling and execution paths appear to be well-secured against common injection attacks.

However, significant concerns arise from the plugin's vulnerability history. With a total of 10 known CVEs and one currently unpatched high-severity vulnerability, this plugin has a history of exposing users to significant risks. The common vulnerability types like Cross-site Scripting and Missing Authorization, combined with the recent unpatched high-severity issue, highlight a recurring pattern of weaknesses that require immediate attention. While the current static analysis for v4.3.6 shows improvements, the past indicates a potential for underlying architectural flaws or a delay in addressing security fixes, which could still pose a risk if not fully remediated.

In conclusion, while v4.3.6 shows improved code quality with excellent output escaping and a protected attack surface in the static analysis, the plugin's past security record, particularly the unpatched high-severity vulnerability, demands caution. Users should prioritize updating to a version that addresses all known vulnerabilities, especially the one flagged as unpatched. The plugin demonstrates strengths in secure coding for the analyzed version but a historical weakness in timely vulnerability remediation.

Key Concerns

Currently unpatched high-severity CVE
50% of SQL queries not using prepared statements
3 flows with unsanitized paths
9 medium severity CVEs in history

Vulnerabilities

Contact Form by BestWebSoft – Advanced WP Contact Form Builder for WordPress Security Vulnerabilities

CVEs by Year

2 CVEs in 2013

2013

1 CVE in 2014

2014

1 CVE in 2015

2015

2 CVEs in 2017

2017

1 CVE in 2019

2019

2 CVEs in 2024

2024

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

High

Medium

10 total CVEs

CVE-2025-63056medium · 4.3Missing Authorization

Contact Form by BestWebSoft <= 4.3.5 - Missing Authorization

Dec 7, 2025Unpatched

CVE-2024-2200medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form by BestWebSoft <= 4.2.8 - Reflected Cross-Site Scripting via cntctfrm_contact_subject

Mar 13, 2024 Patched in 4.2.9 (28d)

CVE-2024-2198medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form by BestWebSoft <= 4.2.8 - Reflected Cross-Site Scripting via cntctfrm_contact_address

Mar 13, 2024 Patched in 4.2.9 (28d)

CVE-2016-10869medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form by BestWebSoft – Advanced Contact Us Form Builder for WordPress <= 4.0.1 - Cross-Site Scripting

Aug 13, 2019 Patched in 4.0.2 (1624d)

CVE-2015-9295medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form by BestWebSoft <= 3.95 - ReflectedCross-Site Scripting

Apr 12, 2017 Patched in 3.96 (2477d)

CVE-2017-18491medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advanced Contact Us Form Builder for WordPress <= 4.0.5 - Reflected Cross-Site Scripting

Apr 12, 2017 Patched in 4.0.6 (2477d)

WF-274e5568-b600-4085-8406-9f9d5d4fc35a-contact-form-pluginmedium · 6.4Missing Authorization

Contact Form <= 3.82 - Authorization Bypass

Jan 22, 2015 Patched in 3.83 (3288d)

CVE-2014-125095high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form Plugin <= 3.81 - Unauthenticated Stored Cross-Site Scripting

Aug 7, 2014 Patched in 3.82 (3472d)

CVE-2013-7481medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form By BestWebSoft<= 3.34 - Cross-Site Scripting

Aug 26, 2013 Patched in 3.35 (3802d)

CVE-2013-7475medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form by BestWebSoft <= 3.51 - Cross-Site Scripting

Aug 13, 2013 Patched in 3.52 (3829d)

Code Analysis

Analyzed Mar 16, 2026

Contact Form by BestWebSoft – Advanced WP Contact Form Builder for WordPress Code Analysis

Dangerous Functions

Raw SQL Queries

5 prepared

Unescaped Output

1090 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

50% prepared10 total queries

Output Escaping

98% escaped1114 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

12 flows3 with unsanitized paths

cntctfrm_check_and_send (contact_form.php:1502)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Contact Form by BestWebSoft – Advanced WP Contact Form Builder for WordPress Attack Surface

Entry Points6

Unprotected0

AJAX Handlers 4

authwp_ajax_bws_submit_request_feature_actionbws_menu\class-bws-settings.php:1466

authwp_ajax_bws_submit_uninstall_reason_actionbws_menu\deactivation-form.php:433

authwp_ajax_cntctfrm_add_languagecontact_form.php:2977

authwp_ajax_cntctfrm_remove_languagecontact_form.php:2978

Shortcodes 2

[bws_contact_form] contact_form.php:2971

[bestwebsoft_contact_form] contact_form.php:2972

WordPress Hooks 22

filterload_textdomain_mofilebws_menu\bws_functions.php:43

filtermce_external_pluginsbws_menu\bws_functions.php:1146

filtermce_buttonsbws_menu\bws_functions.php:1147

actionadmin_initbws_menu\bws_functions.php:1433

actionadmin_enqueue_scriptsbws_menu\bws_functions.php:1434

actionadmin_headbws_menu\bws_functions.php:1435

actionadmin_footerbws_menu\bws_functions.php:1436

actionadmin_noticesbws_menu\bws_functions.php:1438

actionwp_enqueue_scriptsbws_menu\bws_functions.php:1440

actionphpmailer_initcontact_form.php:2164

actionadmin_menucontact_form.php:2957

actioninitcontact_form.php:2959

actionadmin_initcontact_form.php:2960

actionplugins_loadedcontact_form.php:2961

filterplugin_action_linkscontact_form.php:2964

filterplugin_row_metacontact_form.php:2965

actionadmin_enqueue_scriptscontact_form.php:2967

actionwp_enqueue_scriptscontact_form.php:2968

actionwp_footercontact_form.php:2969

filterwidget_textcontact_form.php:2973

filterbws_shortcode_button_contentcontact_form.php:2976

actionadmin_noticescontact_form.php:2980

Maintenance & Trust

Contact Form by BestWebSoft – Advanced WP Contact Form Builder for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 25, 2025

PHP min version

Downloads5.3M

Community Trust

Rating80/100

Number of ratings291

Active installs30K

Alternatives

Contact Form by BestWebSoft – Advanced WP Contact Form Builder for WordPress Alternatives

Visitor Contact Forms

visitorcontact

Create customizable contact forms and sticky contact button for your WordPress blog. Web 2.0 style.

20 No CVEs

Call Now Button – The #1 Click to Call Button for WordPress

call-now-button

The web's #1 click to call button for your website! A simple and powerful plugin that adds a Call Now Button to your website.

200K 5 CVEs

Button Generator – Easily Create Custom Buttons with Icons and Analytics

button-generation

Design and display custom buttons anywhere on your site. Add floating or inline buttons with icons, advanced targeting, and built-in analytics.

5K 8 CVEs

Floating Button – Easily Create Sticky, Fixed & Floating Buttons

floating-button

100

Floating Buttons let you easily create sticky, fixed, and floating action buttons

5K 1 CVE

Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress

contact-form-to-db

Save and manage Contact Form messages. Never lose important data.

1K 5 CVEs

Developer Profile

Contact Form by BestWebSoft – Advanced WP Contact Form Builder for WordPress Developer Profile

bestwebsoft

17 plugins · 207K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

1729 days

View full developer profile

Detection Fingerprints

How We Detect Contact Form by BestWebSoft – Advanced WP Contact Form Builder for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/contact-form-plugin/css/cntctfrm-style.css/wp-content/plugins/contact-form-plugin/js/cntctfrm-scripts.js/wp-content/plugins/contact-form-plugin/includes/build/index.js/wp-content/plugins/contact-form-plugin/includes/build/index.asset.php

Script Paths

/wp-content/plugins/contact-form-plugin/js/cntctfrm-scripts.js/wp-content/plugins/contact-form-plugin/includes/build/index.js

Version Parameters

contact-form-plugin/css/cntctfrm-style.css?ver=contact-form-plugin/js/cntctfrm-scripts.js?ver=contact-form-plugin/includes/build/index.js?ver=

HTML / DOM Fingerprints

CSS Classes

cntctfrm-wrapcntctfrm_form

HTML Comments

Data Attributes

data-cntctfrm-iddata-cntctfrm-nonce

JS Globals

cntctfrm_params

FAQ