Does CubeWP Forms have any unpatched vulnerabilities?

Yes — CubeWP Forms currently has 1 published unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is CubeWP Forms compatible with WordPress 6.9.4?

According to WordPress.org data, CubeWP Forms 1.1.10 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is CubeWP Forms compatible with PHP 7.0+?

CubeWP Forms requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is CubeWP Forms updated?

CubeWP Forms was last updated on Jan 8, 2026. Frequent updates are generally a positive security signal.

What is CubeWP Forms's security score?

CubeWP Forms has a WP-Safety security score of 73/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

CubeWP Forms Security & Risk Analysis

wordpress.org/plugins/cubewp-forms

CubeWP Forms is a 100% free drag-and-drop builder for creating contact forms, lead gen forms, appointment request forms, and newsletter signup forms.

4K active installs v1.1.10 PHP 7.0+ WP 5.0+ Updated Jan 8, 2026

conditional-fieldscontact-formcustom-fieldslead-formleads-management

B · Generally Safe

CVEs total3

Unpatched1

Last CVEJun 12, 2025

Plugin page Download

Safety Verdict

Is CubeWP Forms Safe to Use in 2026?

Mostly Safe

Score 73/100

CubeWP Forms is generally safe to use. 3 past CVEs were resolved.

3 known CVEs 1 unpatched Last CVE: Jun 12, 2025Updated 4mo ago

Risk Assessment

The cubewp-forms plugin, version 1.1.10, presents a mixed security posture. While it exhibits several good security practices such as a lack of unprotected entry points and a high percentage of SQL queries using prepared statements, significant concerns remain. The presence of the `unserialize` function is a notable risk, especially when combined with identified taint flows that have unsanitized paths. The vulnerability history reveals a pattern of past issues, including a currently unpatched high-severity vulnerability and common types like missing authorization and Cross-Site Scripting, suggesting a recurring need for robust security development practices. The plugin has a moderate attack surface, but the total number of entry points and the high percentage of properly escaped outputs are positive indicators. However, the presence of a known, unpatched high-severity vulnerability and the potential risks associated with unserialize functionality and unsanitized taint flows create a situation that requires immediate attention.

Key Concerns

Unpatched high severity CVE
Dangerous function: unserialize used
Taint flows with unsanitized paths (x2)
Known vulnerability history pattern

Vulnerabilities

3 published

CubeWP Forms Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

2 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

High

Medium

3 total CVEs

CVE-2025-49880medium · 4.3Missing Authorization

CubeWP Forms <= 1.1.5 - Missing Authorization

Jun 12, 2025 Patched in 1.1.6 (6d)

CVE-2024-51651medium · 5.3Missing Authorization

CubeWP Forms – All-in-One Form Builder <= 1.1.5 - Missing Authorization

Jan 6, 2025Unpatched

CVE-2024-47300high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CubeWP Forms – All-in-One Form Builder <= 1.1.1 - Unauthenticated Stored Cross-Site Scripting

Sep 24, 2024 Patched in 1.1.2 (9d)

Version History

CubeWP Forms Release Timeline

v1.1.10Current1 CVE

v1.1.91 CVE

v1.1.81 CVE

v1.1.71 CVE

v1.1.61 CVE

v1.1.52 CVEs

CVE-2025-49880 CVE-2024-51651

v1.1.42 CVEs

CVE-2025-49880 CVE-2024-51651

v1.1.32 CVEs

CVE-2025-49880 CVE-2024-51651

v1.1.22 CVEs

CVE-2025-49880 CVE-2024-51651

v1.1.13 CVEs

CVE-2025-49880 CVE-2024-51651 CVE-2024-47300

v1.13 CVEs

CVE-2025-49880 CVE-2024-51651 CVE-2024-47300

v1.0.53 CVEs

CVE-2025-49880 CVE-2024-51651 CVE-2024-47300

v1.0.43 CVEs

CVE-2025-49880 CVE-2024-51651 CVE-2024-47300

v1.0.33 CVEs

CVE-2025-49880 CVE-2024-51651 CVE-2024-47300

v1.0.23 CVEs

CVE-2025-49880 CVE-2024-51651 CVE-2024-47300

v1.0.13 CVEs

CVE-2025-49880 CVE-2024-51651 CVE-2024-47300

v1.0.03 CVEs

CVE-2025-49880 CVE-2024-51651 CVE-2024-47300

Code Analysis

Analyzed Mar 16, 2026

CubeWP Forms Code Analysis

Dangerous Functions

Raw SQL Queries

8 prepared

Unescaped Output

151 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$fields = unserialize($leads['fields']);cube\classes\class-cubewp-forms-dashboard.php:52

unserialize$fields = unserialize($form_data['fields']);cube\classes\class-cubewp-forms-dashboard.php:273

unserialize$fields = unserialize($form_data['fields']);cube\classes\class-cubewp-forms-leads.php:158

SQL Query Safety

67% prepared12 total queries

Output Escaping

83% escaped182 total outputs

Data Flows · Security

2 unsanitized

Data Flow Analysis

5 flows2 with unsanitized paths

extra_tablenav (cube\classes\class-cubewp-forms-data-table.php:210)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

CubeWP Forms Attack Surface

Entry Points6

Unprotected0

AJAX Handlers 5

authwp_ajax_cwp_forms_datacube\classes\class-cubewp-forms-dashboard.php:22

authwp_ajax_cubewp_submit_custom_formcube\classes\class-cubewp-forms-frontend-custom-form.php:29

noprivwp_ajax_cubewp_submit_custom_formcube\classes\class-cubewp-forms-frontend-custom-form.php:30

authwp_ajax_clear_mailchimp_logscube\functions\functions.php:626

authwp_ajax_get_email_template_datacube\functions\functions.php:646

Shortcodes 1

[cwpCustomForm] cube\classes\class-cubewp-forms-frontend-custom-form.php:28

WordPress Hooks 44

actionplugins_loadedcube\classes\class-cubewp-forms-custom.php:53

actioninitcube\classes\class-cubewp-forms-custom.php:54

actioninitcube\classes\class-cubewp-forms-custom.php:62

filtercubewp-submenucube\classes\class-cubewp-forms-custom.php:67

actionadmin_initcube\classes\class-cubewp-forms-custom.php:68

filteruser/dashboard/content/typescube\classes\class-cubewp-forms-custom.php:69

actioncubewp_form_fieldscube\classes\class-cubewp-forms-custom.php:70

actioninitcube\classes\class-cubewp-forms-custom.php:82

actioninitcube\classes\class-cubewp-forms-custom.php:83

filtercubewp/posttypes/newcube\classes\class-cubewp-forms-custom.php:89

actioninitcube\classes\class-cubewp-forms-custom.php:90

actioninitcube\classes\class-cubewp-forms-custom.php:91

actioninitcube\classes\class-cubewp-forms-custom.php:92

actionrest_api_initcube\classes\class-cubewp-forms-custom.php:93

actionelementor/widgets/registercube\classes\class-cubewp-forms-elementor.php:58

filtercubewp/posttypes/newcube\classes\class-cubewp-forms-emails.php:19

filterpost_updated_messagescube\classes\class-cubewp-forms-emails.php:20

actionadmin_initcube\classes\class-cubewp-forms-emails.php:21

actionadmin_headcube\classes\class-cubewp-forms-emails.php:22

actionsave_postcube\classes\class-cubewp-forms-emails.php:23

actionadd_meta_boxescube\classes\class-cubewp-forms-emails.php:24

filterenter_title_herecube\classes\class-cubewp-forms-emails.php:25

filterdefault_contentcube\classes\class-cubewp-forms-emails.php:26

filterfrontend/style/registercube\classes\class-cubewp-forms-enqueue.php:23

filteradmin/script/enqueuecube\classes\class-cubewp-forms-enqueue.php:24

filterfrontend/script/registercube\classes\class-cubewp-forms-enqueue.php:25

filterget_frontend_script_datacube\classes\class-cubewp-forms-enqueue.php:26

filteradmin/style/registercube\classes\class-cubewp-forms-enqueue.php:27

filteradmin/script/registercube\classes\class-cubewp-forms-enqueue.php:28

actioncubewp_submit_custom_form_aftercube\classes\class-cubewp-forms-frontend-custom-form.php:32

filtercubewp/frontend/post/repeating_field/argscube\classes\class-cubewp-forms-frontend-custom-form.php:114

actioncubewp_custom_form_datacube\classes\class-cubewp-forms-leads.php:18

actioncubewp_custom_form_templatescube\classes\class-cubewp-forms-templates.php:18

filtercubewp/custom_fields/typecube\classes\class-cubewp-forms-ui.php:28

filtercubewp/custom-fields/group/datacube\classes\class-cubewp-forms-ui.php:29

actionadmin_initcube\functions\functions.php:33

filtercubewp/custom_fields/custom_forms/fieldscube\functions\functions.php:421

filtercubewp/options/sectionscube\functions\functions.php:530

filtercubewp/import/content/pathcube\functions\functions.php:547

filtercubewp/after/import/redirectcube\functions\functions.php:562

filtercubewp/custom_fields/custom_forms/fieldscube\functions\functions.php:581

actioncubewp_forms_mailchimp_errorscube\functions\functions.php:583

actioncubewp_loadedcubewp-forms.php:69

actionadmin_noticescubewp-forms.php:101

Maintenance & Trust

CubeWP Forms Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 8, 2026

PHP min version7.0

Downloads72K

Community Trust

Rating0/100

Number of ratings0

Active installs4K

Alternatives

CubeWP Forms Alternatives

Ninja Forms – The Contact Form Builder That Grows With You

ninja-forms

The 100% beginner friendly WordPress form builder. Drag & drop form fields to build beautiful, professional contact forms in minutes.

600K 75 CVEs

Conditional Fields for Contact Form 7

cf7-conditional-fields

Adds conditional logic to Contact Form 7.

100K 4 CVEs

ACF Field For CF7

acf-field-for-contact-form-7

100

Add a Contact Form 7 field to Advanced Custom Fields. Pick a form, display it. No shortcodes, no hassle.

10K No CVEs

Lead Form Builder & Contact Form

lead-form-builder

Drag & Drop Contact Form Builder for WordPress to create contact, lead generation, newsletter & registration forms. Works with Elementor & Gutenberg.

10K 11 CVEs

Advanced Forms for ACF

advanced-forms

Flexible and developer-friendly forms using the power of Advanced Custom Fields

3K 2 CVEs

Developer Profile

CubeWP Forms Developer Profile

Imran Tauqeer

3 plugins · 8K total installs

trust score

Avg Security Score

75/100

Avg Patch Time

5 days

View full developer profile

Detection Fingerprints

How We Detect CubeWP Forms

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/cubewp-forms/assets/css/cubewp-forms.css/wp-content/plugins/cubewp-forms/assets/js/cubewp-forms.js/wp-content/plugins/cubewp-forms/assets/js/cubewp-forms-admin.js

Script Paths

/wp-content/plugins/cubewp-forms/assets/js/cubewp-forms.js/wp-content/plugins/cubewp-forms/assets/js/cubewp-forms-admin.js

Version Parameters

cubewp-forms/assets/css/cubewp-forms.css?ver=cubewp-forms/assets/js/cubewp-forms.js?ver=cubewp-forms/assets/js/cubewp-forms-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

cubewp-forms-wrapcubewp-forms-submit-btn

Data Attributes

data-form-id

JS Globals

CWP_FORMS_PLUGIN_URLcubewp_forms_submit_custom_form_params

REST Endpoints

/cubewp-custom-form/v1/submit/

Shortcode Output

[cwpCustomForm

FAQ

CubeWP Forms Security & Risk Analysis

Is CubeWP Forms Safe to Use in 2026?

Mostly Safe

Key Concerns

CubeWP Forms Security Vulnerabilities

CVEs by Year

Severity Breakdown

CubeWP Forms Release Timeline

CubeWP Forms Code Analysis

Dangerous Functions Found

SQL Query Safety

Output Escaping

Data Flow Analysis

CubeWP Forms Attack Surface

AJAX Handlers 5

Shortcodes 1

CubeWP Forms Maintenance & Trust

Maintenance Signals

Community Trust

CubeWP Forms Alternatives

Ninja Forms – The Contact Form Builder That Grows With You

Conditional Fields for Contact Form 7

ACF Field For CF7

Lead Form Builder & Contact Form

Advanced Forms for ACF

CubeWP Forms Developer Profile

How We Detect CubeWP Forms

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about CubeWP Forms