WP-Safety

Contact Form to Any API Security & Risk Analysis

wordpress.org/plugins/contact-form-to-any-api

Send Contact Form 7 submissions to any API, Webhook or CRM - quick setup, flexible payloads, endpoints and authentication.

9K active installs v3.0.3 PHP 7.4+ WP 6.0+ Updated Jan 22, 2026
contact-form-7crmintegrationrest-apiwebhook
93
A · Safe
CVEs total4
Unpatched0
Last CVESep 24, 2024
Plugin page Download
Safety Verdict

Is Contact Form to Any API Safe to Use in 2026?

Generally Safe

Score 93/100

Contact Form to Any API has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Sep 24, 2024Updated 2mo ago
Risk Assessment

The 'contact-form-to-any-api' plugin exhibits a mixed security posture. While it demonstrates good practices such as a high percentage of SQL prepared statements and properly escaped output, significant concerns arise from its attack surface and past vulnerability history. The presence of four AJAX handlers without authorization checks is a major weakness, creating direct entry points for attackers. This is further compounded by taint analysis revealing three high-severity flows, indicating potential for attackers to influence the application's behavior with unsanitized input.

The plugin's vulnerability history, with four known CVEs including one critical and two high severity, is a strong indicator of recurring security flaws. The common vulnerability types listed (XSS, SQL Injection, Missing Authorization) align with the identified risks in the static analysis. The recent vulnerability in September 2024 suggests ongoing security challenges. Despite the otherwise robust coding practices, the combination of an unprotected attack surface and a history of critical vulnerabilities necessitates caution.

In conclusion, while the plugin has strengths in its use of prepared statements and output escaping, the unprotected AJAX endpoints and a concerning history of severe vulnerabilities represent significant risks. The plugin requires careful monitoring and prompt updates to address potential exploits.

Key Concerns

  • Unprotected AJAX handlers
  • High severity taint flows
  • Previous critical vulnerability
  • Previous high severity vulnerabilities (2)
  • Bundled library (Select2)
Vulnerabilities
4

Contact Form to Any API Security Vulnerabilities

CVEs by Year

2 CVEs in 2023
2023
2 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

Critical
1
High
2
Medium
1

4 total CVEs

CVE-2024-7617high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form to Any API <= 1.2.4 - Unauthenticated Stored Cross-Site Scripting via Contact Form

Sep 24, 2024 Patched in 1.2.5 (10d)
CVE-2024-30242critical · 9.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Contact Form to Any API <= 1.1.8 - Authenticated (Subscriber+) SQL Injection

Mar 26, 2024 Patched in 1.1.9 (43d)
CVE-2023-47871medium · 6.5Missing Authorization

Contact Form to Any API <= 1.1.6 - Missing Authorization via delete_cf7_records()

Nov 20, 2023 Patched in 1.1.7 (64d)
CVE-2023-32741high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Contact Form to Any API <= 1.1.2 - Authenticated (Administrator+) SQL Injection via 'form_id'

Jul 17, 2023 Patched in 1.1.3 (190d)
Code Analysis
Analyzed Mar 16, 2026

Contact Form to Any API Code Analysis

Dangerous Functions
0
Raw SQL Queries
2
23 prepared
Unescaped Output
57
252 escaped
Nonce Checks
6
Capability Checks
4
File Operations
2
External Requests
3
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

92% prepared25 total queries

Output Escaping

82% escaped309 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

7 flows4 with unsanitized paths
cf7_to_any_api_get_form_field_function (admin\class-cf7-to-any-api-admin.php:477)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

Contact Form to Any API Attack Surface

Entry Points4
Unprotected4

AJAX Handlers 4

authwp_ajax_cf7_to_any_api_get_form_fieldincludes\class-cf7-to-any-api.php:169
authwp_ajax_cf7_to_any_api_bulk_log_deleteincludes\class-cf7-to-any-api.php:170
authwp_ajax_delete_recordsincludes\class-cf7-to-any-api.php:175
authwp_ajax_cf7_to_any_api_toggle_statusincludes\class-cf7-to-any-api.php:178
WordPress Hooks 17
actionadmin_footeradmin\class-cf7-to-any-api-admin.php:53
actionplugins_loadedincludes\class-cf7-to-any-api.php:146
actionadmin_enqueue_scriptsincludes\class-cf7-to-any-api.php:162
actionadmin_enqueue_scriptsincludes\class-cf7-to-any-api.php:163
actionadmin_noticesincludes\class-cf7-to-any-api.php:164
actioninitincludes\class-cf7-to-any-api.php:165
actionadmin_menuincludes\class-cf7-to-any-api.php:166
actionadd_meta_boxesincludes\class-cf7-to-any-api.php:167
actionsave_post_cf7_to_any_apiincludes\class-cf7-to-any-api.php:168
filterplugin_action_linksincludes\class-cf7-to-any-api.php:171
filtermanage_cf7_to_any_api_posts_columnsincludes\class-cf7-to-any-api.php:172
filtermanage_edit-cf7_to_any_api_sortable_columnsincludes\class-cf7-to-any-api.php:173
actionplugins_loadedincludes\class-cf7-to-any-api.php:174
actionadmin_post_save_cf7_to_any_api_update_settingsincludes\class-cf7-to-any-api.php:176
actionmanage_cf7_to_any_api_posts_custom_columnincludes\class-cf7-to-any-api.php:177
actionwp_dashboard_setupincludes\class-cf7-to-any-api.php:189
filterplugin_row_metaincludes\class-cf7-to-any-api.php:191
Maintenance & Trust

Contact Form to Any API Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 22, 2026
PHP min version7.4
Downloads90K

Community Trust

Rating100/100
Number of ratings28
Active installs9K
Alternatives

Contact Form to Any API Alternatives

WP Dynamics CRM for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms

WP Dynamics CRM for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms

cf7-dynamics-crm

A
99

Send Contact Form 7, WPForms, Elementor, Ninja Forms, CRM Perks Forms and many other contact form submissions to dynamics crm Online.

300 1 CVE
Webhook Configuration CF7

Webhook Configuration CF7

webhook-configuration-cf7

A
92

Use Contact Form 7 as a trigger to any webhook!

100 No CVEs
Kainoto Webhook for Contact Form 7

Kainoto Webhook for Contact Form 7

kainoto-webhook-for-contact-form-7

A
100

Send Contact Form 7 submissions to webhook URLs without waiting for response. Perfect for integrations with external services.

20 No CVEs
RT Webhook for Contact Form 7

RT Webhook for Contact Form 7

rt-webhook-for-contact-form-7

A
100

An advanced webhook integration for Contact Form 7 with field mapping, conditional logic, and custom headers.

10 No CVEs
Cubo CRM

Cubo CRM

cubo-crm

A
100

Seamlessly integrate Contact Form 7 with Cubo CRM to manage deals and automate workflows directly from your WordPress site.

0 No CVEs
Developer Profile

Contact Form to Any API Developer Profile

IT Path Solutions

10 plugins · 11K total installs

84
trust score
Avg Security Score
94/100
Avg Patch Time
77 days
View full developer profile
Detection Fingerprints

How We Detect Contact Form to Any API

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/contact-form-to-any-api/css/cf7-to-any-api-admin.css
Script Paths
/wp-content/plugins/contact-form-to-any-api/js/cf7-to-any-api-admin.js
Version Parameters
contact-form-to-any-api/css/cf7-to-any-api-admin.css?ver=contact-form-to-any-api/js/cf7-to-any-api-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
cf7anyapi-notice-barcf7anyapi-close-btn
Data Attributes
cf7_to_any_api_site_urlcf7_to_any_api_ajax_url
JS Globals
cf7_to_any_api_ajax_object
FAQ

Frequently Asked Questions about Contact Form to Any API