Does Contact Form Email have any unpatched vulnerabilities?

No. All known vulnerabilities in Contact Form Email have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Contact Form Email compatible with WordPress 6.9.4?

According to WordPress.org data, Contact Form Email 1.3.64 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Contact Form Email updated?

Contact Form Email was last updated on Feb 16, 2026. Frequent updates are generally a positive security signal.

What is Contact Form Email's security score?

Contact Form Email has a WP-Safety security score of 88/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Contact Form Email Security & Risk Analysis

wordpress.org/plugins/contact-form-to-email

Contact form with visual form builder. Contact form that sends the data to email, to a database list and to CSV / Excel files.

9K active installs v1.3.64 PHP + WP 3.0.5+ Updated Feb 16, 2026

contactcontact-formcontact-form-databaseemailform

A · Safe

CVEs total16

Unpatched0

Last CVEDec 1, 2025

Plugin page Download

Safety Verdict

Is Contact Form Email Safe to Use in 2026?

Generally Safe

Score 88/100

Contact Form Email has a strong security track record. Known vulnerabilities have been patched promptly.

16 known CVEsLast CVE: Dec 1, 2025Updated 1mo ago

Risk Assessment

The 'contact-form-to-email' plugin v1.3.64 exhibits a mixed security posture. While it demonstrates some good practices such as a reasonable percentage of prepared SQL statements and proper output escaping, significant concerns remain. The presence of one unprotected AJAX handler directly exposes an entry point to potential unauthorized actions. Furthermore, the static analysis reveals the dangerous `unserialize` function, a known risk for deserialization vulnerabilities if not handled with extreme care, and the taint analysis indicates three high-severity flows with unsanitized paths, suggesting potential injection or information leakage vulnerabilities.

The plugin's historical vulnerability record is a major red flag, with 16 known CVEs and a significant number of high and medium severity issues. The common vulnerability types, including Authorization Bypass, Missing Authorization, and Cross-Site Scripting, point to recurring security flaws. The most recent vulnerability dating to late 2025 is concerning, even if currently unpatched ones are reported as zero. This history suggests a pattern of introducing vulnerabilities and indicates that past fixes may not have fully addressed the underlying architectural weaknesses.

In conclusion, while the plugin attempts some security measures, the combination of an unprotected AJAX endpoint, the use of `unserialize`, high-severity taint flows, and a history riddled with critical and high-severity vulnerabilities necessitates a cautious approach. The potential for both direct exploitation of unprotected entry points and more subtle vulnerabilities stemming from historical patterns makes this plugin a notable risk.

Key Concerns

Unprotected AJAX handler found
Dangerous function 'unserialize' used
High severity taint flows (3)
Total known CVEs: 16
High severity CVEs: 5
Medium severity CVEs: 11

Vulnerabilities

Contact Form Email Security Vulnerabilities

CVEs by Year

1 CVE in 2014

2014

1 CVE in 2015

2015

1 CVE in 2016

2016

3 CVEs in 2019

2019

1 CVE in 2021

2021

5 CVEs in 2023

2023

1 CVE in 2024

2024

3 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

16 total CVEs

CVE-2025-10019medium · 5.3Authorization Bypass Through User-Controlled Key

Contact Form Email <= 1.3.60 - Unauthenticated Insecure Direct Object Reference

Dec 1, 2025 Patched in 1.3.61 (38d)

CVE-2025-64369medium · 4.3Missing Authorization

Contact Form Email <= 1.3.58 - Missing Authorization

Nov 15, 2025 Patched in 1.3.59 (3d)

CVE-2025-24727medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form Email <= 1.3.52 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jan 24, 2025 Patched in 1.3.53 (5d)

CVE-2024-31302medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Contact Form Email <= 1.3.44 - Unauthenticated Sensitive Information Exposure

Apr 5, 2024 Patched in 1.3.45 (7d)

CVE-2023-48318medium · 5.3Guessable CAPTCHA

Contact Form Email <= 1.3.41 - Captcha Bypass

Nov 23, 2023 Patched in 1.3.42 (61d)

CVE-2023-5955medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form Email <= 1.3.43 - Authenticated (Admin+) Stored Cross-Site Scripting

Nov 14, 2023 Patched in 1.3.44 (70d)

CVE-2023-2718high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form Email <= 1.3.37 - Unauthenticated Stored Cross-Site Scripting

May 16, 2023 Patched in 1.3.38 (252d)

WF-ce6ea115-941e-482f-a2a4-95293ff10a69-contact-form-to-emailmedium · 4.3Cross-Site Request Forgery (CSRF)

Contact Form Email <= 1.3.31 - Cross-Site Request Forgery to Feedback Submission

Mar 21, 2023 Patched in 1.3.32 (308d)

CVE-2023-28494medium · 4.3Missing Authorization

Contact Form Email <= 1.3.31 - Missing Authorization to Feedback Submission

Mar 16, 2023 Patched in 1.3.32 (313d)

CVE-2021-42361medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form Email <= 1.3.24 - Authenticated (Admin+) Stored Cross-Site Scripting

Nov 11, 2021 Patched in 1.3.25 (802d)

CVE-2018-20963medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form Email <= 1.2.65 - Cross-Site Scripting

Aug 12, 2019 Patched in 1.2.66 (1625d)

CVE-2018-20964high · 8.8Cross-Site Request Forgery (CSRF)

Contact Form Email <= 1.2.65 - Cross-Site Request Forgery

Aug 12, 2019 Patched in 1.2.66 (1625d)

CVE-2019-9646medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form Email <= 1.2.65 - Reflected Cross-Site Scripting

Feb 5, 2019 Patched in 1.2.66 (1813d)

WF-c77295f3-0a37-4fa8-a375-b4bd3dc55945-contact-form-to-emailhigh · 7.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form Email < 1.1.48 - Reflected Cross-Site Scripting

Jul 24, 2016 Patched in 1.1.48 (2739d)

WF-fa9450a4-2b96-45e4-b2dc-9a4b26449d19-contact-form-to-emailhigh · 8.8Cross-Site Request Forgery (CSRF)

Contact Form Email <= 1.3.11 - Cross-Site Request Forgery to Cross-Site Scripting

May 13, 2015 Patched in 1.3.12 (3177d)

WF-a0850b88-09f0-4da8-a9be-1b4aacf610e0-contact-form-to-emailhigh · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form Email < 1.0.1 - Cross-Site Scripting

Nov 22, 2014 Patched in 1.0.1 (3349d)

Code Analysis

Analyzed Mar 16, 2026

Contact Form Email Code Analysis

Dangerous Functions

Raw SQL Queries

28 prepared

Unescaped Output

138

517 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserializeif ( !is_admin() || (!$current_user_access && !@in_array($current_user->ID, unserialize($this->get_ocp-admin-int-add-booking.inc.php:12

unserializeif ( !is_admin() || (!$current_user_access && !@in_array($current_user->ID, unserialize($this->get_ocp-admin-int-edit-booking.inc.php:12

unserialize$posted_data = unserialize($events[$i]->posted_data);cp-admin-int-message-list.inc.php:238

unserialize$params = unserialize($item->posted_data);cp-admin-int-report.inc.php:56

unserialize$preload_params = unserialize($event[0]->posted_data);cp-main-class.inc.php:401

unserialize$data = unserialize($item->posted_data);cp-main-class.inc.php:1278

unserialize$data = unserialize($item->posted_data);cp-main-class.inc.php:1417

SQL Query Safety

54% prepared52 total queries

Output Escaping

79% escaped655 total outputs

Data Flows

4 unsanitized

Data Flow Analysis

8 flows4 with unsanitized paths

<cp-admin-int-list.inc> (cp-admin-int-list.inc.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

Contact Form Email Attack Surface

Entry Points2

Unprotected1

AJAX Handlers 2

authwp_ajax_cpcfte_feedbackcp-feedback.php:8

authwp_ajax_run_email_diagnosticform-to-email.php:98

WordPress Hooks 22

actionadmin_bar_menubanner.php:108

actionadmin_bar_menubannerdk.php:120

actionelementor/widgets/widgets_registeredcontrollers\elementor\cp-elementor-widget.inc.php:13

actionelementor/elements/categories_registeredcontrollers\elementor\cp-elementor-widget.inc.php:15

actionelementor/editor/after_enqueue_stylescontrollers\elementor\cp-elementor-widget.inc.php:17

actionelementor/frontend/after_enqueue_stylescontrollers\elementor\cp-elementor-widget.inc.php:19

actionadmin_enqueue_scriptscp-feedback.php:7

actionadmin_footercp-feedback.php:19

actionphpmailer_initcp-main-class.inc.php:1746

actionmedia_buttonsform-to-email.php:67

actioninitform-to-email.php:68

actioninitform-to-email.php:76

actionadmin_enqueue_scriptsform-to-email.php:93

actionadmin_menuform-to-email.php:95

actionenqueue_block_editor_assetsform-to-email.php:96

actionwp_loadedform-to-email.php:97

filterlitespeed_cache_optimize_js_excludesform-to-email.php:131

filteroption_sbp_settingsform-to-email.php:139

actioninitform-to-email.php:154

filterget_post_metadataform-to-email.php:155

filtersgo_javascript_combine_excludeform-to-email.php:167

filtersgo_js_minify_excludeform-to-email.php:176

Maintenance & Trust

Contact Form Email Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 16, 2026

PHP min version

Downloads1.7M

Community Trust

Rating86/100

Number of ratings103

Active installs9K

Alternatives

Contact Form Email Alternatives

Creative Mail – Easier WordPress & WooCommerce Email Marketing

creative-mail-by-constant-contact

Creative Mail was designed specifically for WordPress and WooCommerce. Our intelligent (and super fun) email editor simplifies email marketing campaig …

300K 3 CVEs

Gravity PDF

gravity-forms-pdf-extended

100

Automatically generate, email and download PDF documents from Gravity Forms entries

20K 1 CVE

HTML Forms – Simple WordPress Forms Plugin

html-forms

A simpler, faster, and smarter WordPress forms plugin.

10K 9 CVEs

WPZOOM Forms – Drag & Drop Contact Form Builder for WordPress

wpzoom-forms

100

Drag & drop contact form builder for WordPress. Create contact forms, custom forms, email forms with spam protection. Works with Elementor, shortcodes

10K No CVEs

Simple Basic Contact Form

simple-basic-contact-form

A clean, secure, plug-&-play contact form for WordPress.

8K 4 CVEs

Developer Profile

Contact Form Email Developer Profile

codepeople

34 plugins · 89K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

964 days

View full developer profile

Detection Fingerprints

How We Detect Contact Form Email

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/contact-form-to-email/css/style.css/wp-content/plugins/contact-form-to-email/css/jquery.ui.datepicker.css/wp-content/plugins/contact-form-to-email/css/jquery.ui.theme.css/wp-content/plugins/contact-form-to-email/css/jquery.ui.core.css/wp-content/plugins/contact-form-to-email/css/jquery.ui.spinner.css/wp-content/plugins/contact-form-to-email/css/jquery.ui.autocomplete.css/wp-content/plugins/contact-form-to-email/css/jquery.ui.tabs.css/wp-content/plugins/contact-form-to-email/css/jquery.ui.dialog.css+38 more

Script Paths

/wp-content/plugins/contact-form-to-email/cp-scripts/jquery.validate.min.js/wp-content/plugins/contact-form-to-email/cp-scripts/jquery.serialize.js/wp-content/plugins/contact-form-to-email/cp-scripts/cp_contact_form_to_email_main.js/wp-content/plugins/contact-form-to-email/cp-scripts/gutenberg-editor-plugin.js/wp-content/plugins/contact-form-to-email/cp-scripts/admin-scripts.js/wp-content/plugins/contact-form-to-email/cp-scripts/cp-dialog.js+2 more

Version Parameters

contact-form-to-email/style.css?ver=contact-form-to-email/css/style.css?ver=contact-form-to-email/cp-scripts/datetimepicker/jquery.datetimepicker.min.css?ver=contact-form-to-email/cp-scripts/jquery.validate.min.js?ver=contact-form-to-email/cp-scripts/jquery.serialize.js?ver=contact-form-to-email/cp-scripts/cp_contact_form_to_email_main.js?ver=contact-form-to-email/cp-scripts/gutenberg-editor-plugin.js?ver=contact-form-to-email/cp-scripts/admin-scripts.js?ver=contact-form-to-email/cp-scripts/cp-dialog.js?ver=contact-form-to-email/cp-scripts/datetimepicker/jquery.datetimepicker.full.min.js?ver=contact-form-to-email/cp-scripts/jquery.blockUI.js?ver=

HTML / DOM Fingerprints

CSS Classes

cp_contact_form_to_emailcp_cfte_captcha_imagecp_cfte_captcha_inputcp_cfte_button

HTML Comments

START: activation redirectionEND: activation redirection register gutemberg block improve block+4 more

Data Attributes

data-form-iddata-instance-id

JS Globals

CP_CFEMAIL_DEFER_SCRIPTS_LOADINGCP_CFEMAIL_DEFAULT_form_structureCP_CFEMAIL_DEFAULT_fp_subjectCP_CFEMAIL_DEFAULT_fp_inc_additional_infoCP_CFEMAIL_DEFAULT_fp_return_pageCP_CFEMAIL_DEFAULT_fp_message+29 more

Shortcode Output

[contact-form-to-email-form

FAQ