WP-Safety

Contact Form Query Security & Risk Analysis

wordpress.org/plugins/contact-form-query

Add a contact form and receive new message notifications directly to your WordPress admin and to your email. Search and filter messages.

1K active installs v1.9.0 PHP 7.0+ WP 5.0+ Updated Mar 8, 2026
contactcontact-formcontact-form-pluginemailform
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Contact Form Query Safe to Use in 2026?

Generally Safe

Score 100/100

Contact Form Query has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 25d ago
Risk Assessment

The "contact-form-query" plugin v1.9.0 exhibits a mixed security posture. On the positive side, it demonstrates strong practices regarding output escaping (99% proper) and judicious use of prepared statements for SQL queries (65%). The absence of known CVEs and a clean vulnerability history suggest a generally well-maintained codebase over time. However, a significant concern arises from the attack surface analysis, which reveals 11 AJAX handlers completely unprotected by authentication checks. This presents a substantial risk, as any unauthenticated user could potentially trigger these handlers. Furthermore, the taint analysis identified one flow with an unsanitized path of high severity, indicating a potential vulnerability where user-supplied data might be processed in an insecure manner. While the presence of nonce checks (12) and capability checks (13) is encouraging, their effectiveness is undermined by the lack of authorization on a majority of AJAX endpoints.

Key Concerns

  • 11 unprotected AJAX handlers
  • High severity unsanitized path in taint analysis
Vulnerabilities
None known

Contact Form Query Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Contact Form Query Code Analysis

Dangerous Functions
0
Raw SQL Queries
6
11 prepared
Unescaped Output
3
354 escaped
Nonce Checks
12
Capability Checks
13
File Operations
0
External Requests
2
Bundled Libraries
0

SQL Query Safety

65% prepared17 total queries

Output Escaping

99% escaped357 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

12 flows1 with unsanitized paths
delete (admin\inc\class-stcfq-message.php:24)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
11 unprotected

Contact Form Query Attack Surface

Entry Points12
Unprotected11

AJAX Handlers 11

authwp_ajax_stcfq-load-more-messagesadmin\admin.php:21
authwp_ajax_stcfq-delete-messageadmin\admin.php:24
authwp_ajax_stcfq-bulk-actionadmin\admin.php:27
authwp_ajax_stcfq-save-noteadmin\admin.php:30
authwp_ajax_stcfq-save-form-fieldsadmin\admin.php:39
authwp_ajax_stcfq-save-layoutadmin\admin.php:42
authwp_ajax_stcfq-save-captchaadmin\admin.php:45
authwp_ajax_stcfq-save-emailadmin\admin.php:48
authwp_ajax_stcfq-save-uninstall-settingadmin\admin.php:51
authwp_ajax_stcfq-save-contactpublic\public.php:12
noprivwp_ajax_stcfq-save-contactpublic\public.php:13

Shortcodes 1

[contact_form_query] public\public.php:10
WordPress Hooks 11
actionadmin_noticesadmin\admin.php:12
actioninitadmin\admin.php:15
actionadmin_menuadmin\admin.php:18
actionwp_dashboard_setupadmin\admin.php:33
actionadmin_enqueue_scriptsadmin\admin.php:36
filterscript_loader_tagpublic\inc\form\contact.php:103
filterscript_loader_tagpublic\inc\form\contact.php:117
actioninitpublic\public.php:8
actionadmin_bar_menupublic\public.php:15
actionadmin_enqueue_scriptspublic\public.php:16
actionwp_enqueue_scriptspublic\public.php:17
Maintenance & Trust

Contact Form Query Maintenance & Trust

Maintenance Signals

WordPress version tested7.0
Last updatedMar 8, 2026
PHP min version7.0
Downloads104K

Community Trust

Rating100/100
Number of ratings1
Active installs1K
Alternatives

Contact Form Query Alternatives

Form Builder CP

Form Builder CP

cp-easy-form-builder

A
98

Form Builder CP is a contact form plugin for creating contact forms with a visual form builder and email them.

300 3 CVEs
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

A
90

The best WordPress contact form plugin. Drag & Drop form builder to create beautiful contact forms, payment forms, & other custom forms.

6.0M 13 CVEs
Creative Mail – Easier WordPress & WooCommerce Email Marketing

Creative Mail – Easier WordPress & WooCommerce Email Marketing

creative-mail-by-constant-contact

A
90

Creative Mail was designed specifically for WordPress and WooCommerce. Our intelligent (and super fun) email editor simplifies email marketing campaig …

300K 3 CVEs
Gravity PDF

Gravity PDF

gravity-forms-pdf-extended

A
100

Automatically generate, email and download PDF documents from Gravity Forms entries

20K 1 CVE
HTML Forms – Simple WordPress Forms Plugin

HTML Forms – Simple WordPress Forms Plugin

html-forms

A
89

A simpler, faster, and smarter WordPress forms plugin.

10K 9 CVEs
Developer Profile

Contact Form Query Developer Profile

ScriptsTown

20 plugins · 20K total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Contact Form Query

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/contact-form-query/assets/css/stcfq-admin.css/wp-content/plugins/contact-form-query/assets/js/stcfq-admin.js
Script Paths
/wp-content/plugins/contact-form-query/assets/js/stcfq-admin.js
Version Parameters
contact-form-query/assets/css/stcfq-admin.css?ver=contact-form-query/assets/js/stcfq-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
stcfq-admin
Data Attributes
data-nonce
JS Globals
stcfqadminurl
FAQ

Frequently Asked Questions about Contact Form Query