WP-Safety

Contact Forms by Cimatti Security & Risk Analysis

wordpress.org/plugins/contact-forms

Create and publish forms in your WordPress website with drag and drop. Contact forms, landing page forms, invitations, and more.

700 active installs v1.9.13 PHP + WP 3.5+ Updated Nov 14, 2025
contact-formemail-notificationsform-apiform-builderlead-generation
91
A · Safe
CVEs total11
Unpatched0
Last CVEJun 2, 2025
Plugin page Download
Safety Verdict

Is Contact Forms by Cimatti Safe to Use in 2026?

Generally Safe

Score 91/100

Contact Forms by Cimatti has a strong security track record. Known vulnerabilities have been patched promptly.

11 known CVEsLast CVE: Jun 2, 2025Updated 4mo ago
Risk Assessment

The "contact-forms" plugin v1.9.13 presents a mixed security posture. While it demonstrates some good practices like a significant percentage of SQL queries using prepared statements and a good number of nonce and capability checks, several concerning areas exist. The static analysis highlights a notable attack surface with 12 entry points, of which 2 lack authentication checks, making them prime targets for unauthorized actions. The presence of dangerous functions like `unserialize` and `create_function`, coupled with a very low percentage (6%) of properly escaped output, strongly indicates a high risk of Cross-Site Scripting (XSS) vulnerabilities. Furthermore, the taint analysis reveals 6 high-severity flows with unsanitized paths, suggesting potential for data manipulation or execution vulnerabilities.

The plugin's vulnerability history is particularly worrying, with 11 known CVEs, all of which are currently patched. However, the prevalence of medium and high severity vulnerabilities, specifically CSRF, Missing Authorization, and XSS, in the past indicates a recurring pattern of weaknesses in its security implementation. The last reported vulnerability was recent (2025-06-02), which, despite being patched, underscores the ongoing need for vigilance. The combination of direct code vulnerabilities and historical patterns suggests that this plugin, while not currently exposing unpatched critical issues, carries inherent risks due to its codebase and past security record.

Key Concerns

  • Unprotected AJAX handlers
  • High-severity unsanitized taint flows
  • Dangerous functions present (`unserialize`, `create_function`)
  • Very low output escaping percentage
  • Previous high severity vulnerabilities
  • Previous medium severity vulnerabilities
Vulnerabilities
11

Contact Forms by Cimatti Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
5 CVEs in 2023
2023
3 CVEs in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
2
Medium
9

11 total CVEs

CVE-2025-49069medium · 4.3Cross-Site Request Forgery (CSRF)

Contact Forms by Cimatti Plugin <= 1.9.8 - Cross-Site Request Forgery

Jun 2, 2025 Patched in 1.9.9 (5d)
CVE-2024-12184medium · 5.3Missing Authorization

WordPress Contact Forms by Cimatti <= 1.9.4 - Missing Authorization to Unauthenticated Form Submission Download

Jan 31, 2025 Patched in 1.9.5 (1d)
CVE-2024-10521medium · 4.3Cross-Site Request Forgery (CSRF)

WordPress Contact Forms by Cimatti <= 1.9.2 - Cross-Site Request Forgery via process_bulk_action Function

Nov 26, 2024 Patched in 1.9.3 (1d)
CVE-2024-30549medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Forms by Cimatti <= 1.8.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Mar 29, 2024 Patched in 1.9.1 (39d)
CVE-2024-29117high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Forms by Cimatti <= 1.7.0 - Unauthenticated Stored Cross-Site Scripting

Mar 16, 2024 Patched in 1.8.0 (5d)
CVE-2023-47230medium · 4.3Cross-Site Request Forgery (CSRF)

Contact Forms by Cimatti <= 1.6.0 - Cross-Site Request Forgery via accua_forms_list_page_table

Oct 25, 2023 Patched in 1.6.1 (90d)
CVE-2023-35051medium · 4.3Missing Authorization

WordPress Contact Forms by Cimatti <= 1.5.7 - Missing Authorization

Jun 13, 2023 Patched in 1.5.8 (585d)
CVE-2023-2563medium · 4.3Cross-Site Request Forgery (CSRF)

WordPress Contact Forms by Cimatti <= 1.5.7 - Cross-Site Request Forgery via _accua_forms_form_edit_action

Jun 12, 2023 Patched in 1.5.8 (225d)
CVE-2023-28781high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Contact Forms by Cimatti <= 1.5.4 - Unauthenticated Stored Cross-Site Scripting

Mar 27, 2023 Patched in 1.5.5 (302d)
CVE-2023-28789medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Forms by Cimatti <= 1.5.4 - Reflected Cross-Site Scripting via 'form-field-id', 'edit-fid', 'id', 'name', 'type', 'description' Parameters

Mar 27, 2023 Patched in 1.5.5 (302d)
CVE-2021-24744medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cimatti Contact Forms <= 1.4.11 - Cross-Site Scripting

Sep 27, 2021 Patched in 1.4.12 (848d)
Code Analysis
Analyzed Mar 16, 2026

Contact Forms by Cimatti Code Analysis

Dangerous Functions
3
Raw SQL Queries
19
89 prepared
Unescaped Output
487
30 escaped
Nonce Checks
25
Capability Checks
19
File Operations
39
External Requests
1
Bundled Libraries
2

Dangerous Functions Found

unserialize@ $form = unserialize($data);AccuaForm.php:595
unserializereturn unserialize($_SESSION["pfbc"][$id]["form"]);PFBC\Form.php:245
create_functionreturn create_function('$_action, &$self, $_text', $init_crypt . 'if ($_action == "encrypt") { ' . $phpseclib-crypt\Base.php:2559

Bundled Libraries

jQueryTinyMCE

SQL Query Safety

82% prepared108 total queries

Output Escaping

6% escaped517 total outputs
Data Flows
10 unsanitized

Data Flow Analysis

14 flows10 with unsanitized paths
accua_forms_submissions_list_page (accua-forms-submissions-page.php:428)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Contact Forms by Cimatti Attack Surface

Entry Points12
Unprotected2

AJAX Handlers 11

authwp_ajax_accua_form_submitaccua-form-api.php:45
noprivwp_ajax_accua_form_submitaccua-form-api.php:46
authwp_ajax_accua-form-fields-orderaccua-forms.php:198
authwp_ajax_accua-save-form-fieldaccua-forms.php:249
authwp_ajax_accua-save-form-settingsaccua-forms.php:455
authwp_ajax_accua_forms_download_submitted_fileaccua-forms.php:3910
noprivwp_ajax_accua_forms_download_submitted_fileaccua-forms.php:3911
authwp_ajax_accua_forms_previewaccua-forms.php:4020
authwp_ajax_accua_forms_submission_page_save_excelaccua-forms.php:4045
authwp_ajax_accua-forms-set-lead-statusaccua-forms.php:4619
authwp_ajax_accua_shortcode_button_popupaccua-shortcode-button.php:47

Shortcodes 1

[accua-form] accua-forms.php:3771
WordPress Hooks 18
actionwp_print_scriptsaccua-form-api.php:18
actionwp_enqueue_scriptsaccua-form-api.php:24
actionadmin_enqueue_scriptsaccua-form-api.php:25
actionlogin_enqueue_scriptsaccua-form-api.php:26
actionwp_print_stylesaccua-form-api.php:27
actionplugins_loadedaccua-form-api.php:37
actionadmin_menuaccua-forms.php:2
actionaccua_form_alteraccua-forms.php:2823
filteraccua_form_validateaccua-forms.php:3212
actionaccua_form_submitaccua-forms.php:3246
filtermce_external_pluginsaccua-shortcode-button.php:19
filtermce_buttonsaccua-shortcode-button.php:20
actionadmin_footeraccua-shortcode-button.php:23
actioninitaccua-shortcode-button.php:39
actionwp_dashboard_setupcontact-forms.php:81
actionplugins_loadedcontact-forms.php:703
filterrobots_txtcontact-forms.php:712
actionrest_api_initcontact-forms.php:758
Maintenance & Trust

Contact Forms by Cimatti Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedNov 14, 2025
PHP min version
Downloads79K

Community Trust

Rating88/100
Number of ratings16
Active installs700
Alternatives

Contact Forms by Cimatti Alternatives

WS Form LITE – Drag & Drop Contact Form Builder

WS Form LITE – Drag & Drop Contact Form Builder

ws-form

A
96

Contact form builder for WordPress. Create professional, accessible, mobile-friendly forms in minutes without coding.

10K 5 CVEs
Lead Generation Form

Lead Generation Form

lead-generation-form

A
100

Create lead forms with drag-and-drop builder, capture leads, and export data easily.

600 No CVEs
Connect2Form – Advanced Contact Form Builder

Connect2Form – Advanced Contact Form Builder

connect2form-advanced-contact-form-builder-with-marketing-tools

A
100

Professional drag-and-drop form builder with accessibility, security, and performance optimization. Extensible with addon integrations.

0 No CVEs
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

A
90

The best WordPress contact form plugin. Drag & Drop form builder to create beautiful contact forms, payment forms, & other custom forms.

6.0M 13 CVEs
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

fluentform

B
82

Get a fast contact form plugin. Create advanced forms using drag and drop form builder with all smart features.

600K 27 CVEs
Developer Profile

Contact Forms by Cimatti Developer Profile

cimatti

1 plugin · 700 total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
218 days
View full developer profile
Detection Fingerprints

How We Detect Contact Forms by Cimatti

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/contact-forms/accua.css/wp-content/plugins/contact-forms/chartjs/Chart.min.js
Script Paths
/wp-content/plugins/contact-forms/chartjs/Chart.min.js
Version Parameters
plugins/contact-forms/accua.css?ver=plugins/contact-forms/chartjs/Chart.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
accua-forms-versionbt
Data Attributes
data-type="contact-forms-field"
JS Globals
accua_forms
Shortcode Output
[contact-form-input][contact-form-submit]
FAQ

Frequently Asked Questions about Contact Forms by Cimatti