WP-Safety

CRM Perks Forms – WordPress Form Builder Security & Risk Analysis

wordpress.org/plugins/crm-perks-forms

Create beautiful contact forms and popups with floating buttons.

1K active installs v1.1.7 PHP 5.3+ WP 3.8+ Updated Dec 15, 2025
best-form-buildercontact-formform-builderfree-form-buildervisual-form-builder
89
A · Safe
CVEs total8
Unpatched0
Last CVEAug 5, 2024
Plugin page Download
Safety Verdict

Is CRM Perks Forms – WordPress Form Builder Safe to Use in 2026?

Generally Safe

Score 89/100

CRM Perks Forms – WordPress Form Builder has a strong security track record. Known vulnerabilities have been patched promptly.

8 known CVEsLast CVE: Aug 5, 2024Updated 3mo ago
Risk Assessment

The "crm-perks-forms" plugin exhibits a concerning security posture, largely due to its historical vulnerability patterns and several weaknesses identified in the static analysis. While the absence of critical taint flows and dangerous functions is positive, the plugin has a history of 8 known CVEs, including 2 critical and 1 high severity. The recurrence of vulnerability types such as Unrestricted Upload, Missing Authorization, Cross-Site Scripting, and SQL Injection strongly suggests systemic issues in how user input is handled and access is controlled. The static analysis reveals a notable attack surface with 3 out of 9 AJAX handlers lacking authentication checks, presenting an immediate risk. Furthermore, only 7% of output is properly escaped, indicating a high likelihood of Cross-Site Scripting vulnerabilities. The SQL query situation is mixed, with 56% using prepared statements, but the remaining 44% may still be susceptible to injection if not properly sanitized. The presence of bundled libraries like Select2, if outdated, could also introduce further risks, though their specific version and vulnerability status are not provided. In conclusion, while the plugin has no currently unpatched critical CVEs, its past record and the static analysis findings point to significant ongoing risks that require immediate attention and robust remediation.

Key Concerns

  • 3 AJAX handlers without auth checks
  • Only 7% output properly escaped
  • 2 Critical CVEs in history
  • 1 High CVE in history
  • 5 Medium CVEs in history
  • Vulnerability pattern: SQL Injection
  • Vulnerability pattern: XSS
  • Vulnerability pattern: Missing Auth
  • Vulnerability pattern: Unrestricted Upload
  • 44% SQL queries not using prepared statements
Vulnerabilities
8

CRM Perks Forms – WordPress Form Builder Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
2 CVEs in 2023
2023
5 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

Critical
2
High
1
Medium
5

8 total CVEs

CVE-2024-7484high · 7.2Unrestricted Upload of File with Dangerous Type

CRM Perks Forms <= 1.1.3 - Authenticated (Administrator+) Arbitrary File Upload

Aug 5, 2024 Patched in 1.1.4 (1d)
CVE-2024-37463medium · 5.3Missing Authorization

CRM Perks Forms <= 1.1.5 - Missing Authorization to Unauthenticated Form Submission

Jul 1, 2024 Patched in 1.1.6 (9d)
CVE-2024-30446medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CRM Perks Forms <= 1.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 28, 2024 Patched in 1.1.5 (7d)
CVE-2024-30498critical · 10Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CRM Perks Forms <= 1.1.4 - Unauthenticated SQL Injection

Mar 28, 2024 Patched in 1.1.5 (7d)
CVE-2024-30499critical · 9.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CRM Perks Forms <= 1.1.4 - Authenticated (Contributor+) SQL Injection

Mar 28, 2024 Patched in 1.1.5 (7d)
CVE-2023-51536medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CRM Perks Forms <= 1.1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Dec 27, 2023 Patched in 1.1.3 (27d)
CVE-2023-2836medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CRM Perks Forms <= 1.1.1 - Authenticated (Admin+) Stored Cross-Site Scripting

May 30, 2023 Patched in 1.1.2 (238d)
CVE-2022-38467medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CRM Perks Forms <= 1.1.0 - Reflected Cross-Site Scripting

Sep 30, 2022 Patched in 1.1.1 (480d)
Code Analysis
Analyzed Mar 16, 2026

CRM Perks Forms – WordPress Form Builder Code Analysis

Dangerous Functions
0
Raw SQL Queries
11
14 prepared
Unescaped Output
541
41 escaped
Nonce Checks
10
Capability Checks
15
File Operations
5
External Requests
1
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

56% prepared25 total queries

Output Escaping

7% escaped582 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
handle_form (includes\admin-pages.php:941)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

CRM Perks Forms – WordPress Form Builder Attack Surface

Entry Points10
Unprotected3

AJAX Handlers 9

authwp_ajax_vx_form_save_api_settingsincludes\admin-pages.php:18
authwp_ajax_vx_form_save_main_formincludes\admin-pages.php:21
authwp_ajax_vx_other_forms_export_htmlincludes\admin-pages.php:23
authwp_ajax_vx_form_import_formsincludes\admin-pages.php:25
authwp_ajax_vx_form_edit_entry_noteincludes\admin-pages.php:26
authwp_ajax_vx_form_edit_entry_toggleincludes\admin-pages.php:27
noprivwp_ajax_post_cfx_formincludes\front-form.php:49
authwp_ajax_post_cfx_formincludes\front-form.php:50
authwp_ajax_cfx_form_review_dismisswp\crmperks-notices.php:21

Shortcodes 1

[crmperks-forms] includes\front-form.php:41
WordPress Hooks 19
actionplugins_loadedcrm-perks-forms.php:39
actioninitcrm-perks-forms.php:46
actionadmin_menuincludes\admin-pages.php:13
actionadmin_initincludes\admin-pages.php:14
actionadmin_enqueue_scriptsincludes\admin-pages.php:16
filterset-screen-optionincludes\admin-pages.php:30
filterplugin_action_linksincludes\admin-pages.php:31
actionmedia_buttonsincludes\editor-btn.php:6
actionadmin_footerincludes\editor-btn.php:28
actionwp_enqueue_scriptsincludes\front-form.php:42
actioninitincludes\front-form.php:43
actionwp_footerincludes\front-form.php:44
actionwp_footerincludes\front-form.php:45
filterplugin_row_metawp\crmperks-notices.php:15
actionadmin_noticeswp\crmperks-notices.php:17
filterplugins_apiwp\crmperks-notices.php:18
actionadd_section_cfx_formwp\crmperks-notices.php:23
filteradmin_footer_textwp\crmperks-notices.php:26
actionadmin_noticeswp\crmperks-notices.php:27
Maintenance & Trust

CRM Perks Forms – WordPress Form Builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 15, 2025
PHP min version5.3
Downloads39K

Community Trust

Rating96/100
Number of ratings32
Active installs1K
Alternatives

CRM Perks Forms – WordPress Form Builder Alternatives

Contact Form, Survey & Form Builder – MightyForms

Contact Form, Survey & Form Builder – MightyForms

mightyforms

A
91

Drag & drop form builder with lead generation and workflow automation. MightyForms is a contact form builder, survey creator, order form creator, &hellip;

200 2 CVEs
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

A
90

The best WordPress contact form plugin. Drag & Drop form builder to create beautiful contact forms, payment forms, & other custom forms.

6.0M 13 CVEs
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

fluentform

B
82

Get a fast contact form plugin. Create advanced forms using drag and drop form builder with all smart features.

600K 27 CVEs
MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

metform

A
87

The most popular Elementor forms builder to create WordPress forms like contact forms, booking forms, feedback form, survey forms, application forms a &hellip;

600K 26 CVEs
Ninja Forms – The Contact Form Builder That Grows With You

Ninja Forms – The Contact Form Builder That Grows With You

ninja-forms

B
76

The 100% beginner friendly WordPress form builder. Drag & drop form fields to build beautiful, professional contact forms in minutes.

600K 74 CVEs
Developer Profile

CRM Perks Forms – WordPress Form Builder Developer Profile

CRM Perks

32 plugins · 105K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
349 days
View full developer profile
Detection Fingerprints

How We Detect CRM Perks Forms – WordPress Form Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/crm-perks-forms/css/style.css/wp-content/plugins/crm-perks-forms/css/admin.css/wp-content/plugins/crm-perks-forms/js/main.js/wp-content/plugins/crm-perks-forms/js/admin.js/wp-content/plugins/crm-perks-forms/js/cfx-forms-script.js/wp-content/plugins/crm-perks-forms/css/tooltip.css/wp-content/plugins/crm-perks-forms/css/cropper.min.css/wp-content/plugins/crm-perks-forms/js/cropper.min.js+2 more
Script Paths
/wp-content/plugins/crm-perks-forms/js/main.js/wp-content/plugins/crm-perks-forms/js/admin.js/wp-content/plugins/crm-perks-forms/js/cfx-forms-script.js/wp-content/plugins/crm-perks-forms/js/cropper.min.js/wp-content/plugins/crm-perks-forms/js/sweetalert.min.js/wp-content/plugins/crm-perks-forms/js/jquery.ui.datepicker.js
Version Parameters
/wp-content/plugins/crm-perks-forms/css/style.css?ver=/wp-content/plugins/crm-perks-forms/css/admin.css?ver=/wp-content/plugins/crm-perks-forms/js/main.js?ver=/wp-content/plugins/crm-perks-forms/js/admin.js?ver=/wp-content/plugins/crm-perks-forms/js/cfx-forms-script.js?ver=/wp-content/plugins/crm-perks-forms/css/tooltip.css?ver=/wp-content/plugins/crm-perks-forms/css/cropper.min.css?ver=/wp-content/plugins/crm-perks-forms/js/cropper.min.js?ver=/wp-content/plugins/crm-perks-forms/js/sweetalert.min.js?ver=/wp-content/plugins/crm-perks-forms/js/jquery.ui.datepicker.js?ver=

HTML / DOM Fingerprints

CSS Classes
cfx-formcfx-admin-formcfx_form_fieldcfx_form_field_labelcfx_form_field_inputcfx_form_submit_buttoncfx-pro-badgecfx-main-menu
Data Attributes
data-cfx-form-iddata-field-type
JS Globals
cfx_forms_params
FAQ

Frequently Asked Questions about CRM Perks Forms – WordPress Form Builder