WP-Safety

Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress Security & Risk Analysis

wordpress.org/plugins/contact-form-to-db

Save and manage Contact Form messages. Never lose important data.

1K active installs v1.7.4 PHP + WP 5.6+ Updated Feb 23, 2026
browse-messagescf-add-oncontact-buttoncontact-form-add-oncontact-form-parameters
92
A · Safe
CVEs total5
Unpatched0
Last CVEJun 5, 2024
Plugin page Download
Safety Verdict

Is Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress Safe to Use in 2026?

Generally Safe

Score 92/100

Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Jun 5, 2024Updated 1mo ago
Risk Assessment

The "contact-form-to-db" plugin exhibits a mixed security posture. While it demonstrates good practices in many areas, such as a high percentage of prepared SQL statements and properly escaped output, several concerning signals warrant attention. The presence of dangerous functions like `unserialize` and a taint analysis revealing a high-severity flow with unsanitized paths are significant red flags. Furthermore, the plugin has a history of 5 known CVEs, including past critical and high-severity vulnerabilities related to SQL Injection and Cross-site Scripting, indicating a recurring pattern of security weaknesses. The existence of one unprotected AJAX handler further amplifies the attack surface. Although there are no currently unpatched CVEs, the historical data and the specific code signals suggest a need for careful review and potential remediation to mitigate risks.

Key Concerns

  • Unprotected AJAX handler
  • High severity unsanitized taint flow
  • Dangerous function: unserialize
  • History of 1 critical CVE
  • History of 2 high CVEs
  • History of SQL Injection vulnerabilities
  • History of Cross-site Scripting vulnerabilities
Vulnerabilities
5

Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress Security Vulnerabilities

CVEs by Year

1 CVE in 2017
2017
3 CVEs in 2023
2023
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Critical
1
High
2
Medium
2

5 total CVEs

CVE-2024-35678critical · 9.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress <= 1.7.2 - Authenticated (Author+) SQL Injection

Jun 5, 2024 Patched in 1.7.3 (9d)
CVE-2023-36508high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Contact Form to DB by BestWebSoft <= 1.7.1 - Authenticated (Administrator+) SQL Injection via 's'

Jun 23, 2023 Patched in 1.7.2 (214d)
CVE-2023-29096high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Contact Form to DB by BestWebSoft <= 1.7.0 - Authenticated (Contributor+) SQL Injection via cntctfrmtdb_department

Apr 17, 2023 Patched in 1.7.1 (281d)
WF-19b21013-136a-41b0-a667-39f23ccedf2e-contact-form-to-dbmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form to DB <= 1.7.0 - Multiple Cross-Site Scripting

Apr 14, 2023 Patched in 1.7.1 (284d)
CVE-2017-18492medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form to DB <= 1.5.6 - Multiple Cross-Site Scripting

Apr 12, 2017 Patched in 1.5.7 (2477d)
Code Analysis
Analyzed Mar 16, 2026

Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress Code Analysis

Dangerous Functions
4
Raw SQL Queries
14
36 prepared
Unescaped Output
28
539 escaped
Nonce Checks
23
Capability Checks
3
File Operations
21
External Requests
6
Bundled Libraries
0

Dangerous Functions Found

unserialize$custom_fields = unserialize( $data->custom_fields );contact_form_to_db.php:858
unserialize$custom_fields = unserialize( $data->custom_fields );contact_form_to_db.php:949
unserialize$custom_fields = unserialize( $data->custom_fields );contact_form_to_db.php:1103
unserialize$custom_fields = unserialize( $value->custom_fields );contact_form_to_db.php:2031

SQL Query Safety

72% prepared50 total queries

Output Escaping

95% escaped567 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

10 flows1 with unsanitized paths
bws_add_menu_render (bws_menu\bws_menu.php:18)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress Attack Surface

Entry Points5
Unprotected1

AJAX Handlers 5

authwp_ajax_bws_submit_request_feature_actionbws_menu\class-bws-settings.php:1466
authwp_ajax_bws_submit_uninstall_reason_actionbws_menu\deactivation-form.php:433
authwp_ajax_cntctfrmtdb_read_messagecontact_form_to_db.php:2586
authwp_ajax_cntctfrmtdb_show_attachmentcontact_form_to_db.php:2587
authwp_ajax_cntctfrmtdb_change_stauscontact_form_to_db.php:2588
WordPress Hooks 21
filterload_textdomain_mofilebws_menu\bws_functions.php:43
filtermce_external_pluginsbws_menu\bws_functions.php:1146
filtermce_buttonsbws_menu\bws_functions.php:1147
actionadmin_initbws_menu\bws_functions.php:1433
actionadmin_enqueue_scriptsbws_menu\bws_functions.php:1434
actionadmin_headbws_menu\bws_functions.php:1435
actionadmin_footerbws_menu\bws_functions.php:1436
actionadmin_noticesbws_menu\bws_functions.php:1438
actionwp_enqueue_scriptsbws_menu\bws_functions.php:1440
actionplugins_loadedcontact_form_to_db.php:2569
actionadmin_menucontact_form_to_db.php:2571
actioninitcontact_form_to_db.php:2573
actionadmin_initcontact_form_to_db.php:2574
actionadmin_enqueue_scriptscontact_form_to_db.php:2576
filterplugin_action_linkscontact_form_to_db.php:2578
filterplugin_row_metacontact_form_to_db.php:2579
actioncntctfrm_get_mail_datacontact_form_to_db.php:2581
actioncntctfrm_get_attachment_datacontact_form_to_db.php:2582
actioncntctfrm_check_dispatchcontact_form_to_db.php:2583
filterset-screen-optioncontact_form_to_db.php:2584
actionadmin_noticescontact_form_to_db.php:2590
Maintenance & Trust

Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedFeb 23, 2026
PHP min version
Downloads104K

Community Trust

Rating84/100
Number of ratings12
Active installs1K
Alternatives

Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress Alternatives

Contact Form Multi by BestWebSoft – Multiple Forms Plugin for Single WordPress Website

Contact Form Multi by BestWebSoft – Multiple Forms Plugin for Single WordPress Website

contact-form-multi

A
100

Add unlimited number of contact forms to WordPress website.

300 1 CVE
Call Now Button – The #1 Click to Call Button for WordPress

Call Now Button – The #1 Click to Call Button for WordPress

call-now-button

A
95

The web's #1 click to call button for your website! A simple and powerful plugin that adds a Call Now Button to your website.

200K 5 CVEs
Contact Form by BestWebSoft – Advanced WP Contact Form Builder for WordPress

Contact Form by BestWebSoft – Advanced WP Contact Form Builder for WordPress

contact-form-plugin

C
67

The most powerful and user-friendly WordPress contact form plugin. Create beautiful contact forms, widgets and pages using shortcodes.

30K 1 unpatched
Button Generator – Easily Create Custom Buttons with Icons and Analytics

Button Generator – Easily Create Custom Buttons with Icons and Analytics

button-generation

A
96

Design and display custom buttons anywhere on your site. Add floating or inline buttons with icons, advanced targeting, and built-in analytics.

5K 8 CVEs
Floating Button – Easily Create Sticky, Fixed & Floating Buttons

Floating Button – Easily Create Sticky, Fixed & Floating Buttons

floating-button

A
100

Floating Buttons let you easily create sticky, fixed, and floating action buttons

5K 1 CVE
Developer Profile

Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress Developer Profile

bestweblayout

32 plugins · 17K total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
1944 days
View full developer profile
Detection Fingerprints

How We Detect Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/contact-form-to-db/css/bws-admin-style.css/wp-content/plugins/contact-form-to-db/css/bws-plugin-style.css/wp-content/plugins/contact-form-to-db/css/cntctfrmtdb-admin.css/wp-content/plugins/contact-form-to-db/css/cntctfrmtdb-style.css/wp-content/plugins/contact-form-to-db/js/bws-admin-script.js/wp-content/plugins/contact-form-to-db/js/cntctfrmtdb-admin.js/wp-content/plugins/contact-form-to-db/js/cntctfrmtdb-script.js
Script Paths
/wp-content/plugins/contact-form-to-db/js/bws-admin-script.js/wp-content/plugins/contact-form-to-db/js/cntctfrmtdb-admin.js/wp-content/plugins/contact-form-to-db/js/cntctfrmtdb-script.js
Version Parameters
contact-form-to-db/css/bws-admin-style.css?ver=contact-form-to-db/css/bws-plugin-style.css?ver=contact-form-to-db/css/cntctfrmtdb-admin.css?ver=contact-form-to-db/css/cntctfrmtdb-style.css?ver=contact-form-to-db/js/bws-admin-script.js?ver=contact-form-to-db/js/cntctfrmtdb-admin.js?ver=contact-form-to-db/js/cntctfrmtdb-script.js?ver=

HTML / DOM Fingerprints

CSS Classes
cntctfrmtdb_manager_pagebws_notice_textbws_plugin_settings_tabsbws_plugin_settings_contentbws_plugin_settings_content_page
HTML Comments
Copyright 2021 BestWebSoftThis program is free software; you can redistribute it and/or modifyThis program is distributed in the hope that it will be usefulYou should have received a copy of the GNU General Public License+14 more
Data Attributes
data-bws-versiondata-bws-plugin
JS Globals
cntctfrmtdb_admin_scriptcntctfrmtdb_script
FAQ

Frequently Asked Questions about Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress