WP-Safety

Custom Contact Forms Security & Risk Analysis

wordpress.org/plugins/custom-contact-forms

Build beautiful custom forms and manage submissions the WordPress way. View live previews of your forms while you build them.

7K active installs v7.8.5 PHP + WP 3.9+ Updated Nov 28, 2017
captcha-formcontact-formcustom-contact-formcustom-formsweb-form
83
B · Generally Safe
CVEs total2
Unpatched0
Last CVESep 17, 2014
Plugin page Download
Safety Verdict

Is Custom Contact Forms Safe to Use in 2026?

Mostly Safe

Score 83/100

Custom Contact Forms is generally safe to use though it hasn't been updated recently. 2 past CVEs were resolved. Keep it updated.

2 known CVEsLast CVE: Sep 17, 2014Updated 8yr ago
Risk Assessment

The plugin "custom-contact-forms" v7.8.5 presents a mixed security posture. On the positive side, it exhibits strong practices in output escaping, with 93% of outputs properly sanitized, and a good number of nonce and capability checks, suggesting an awareness of common WordPress security vulnerabilities. The attack surface appears small, with no unprotected entry points identified in the static analysis.

However, several concerns warrant attention. The presence of the `unserialize` function is a significant risk, as it can lead to Remote Code Execution if used with untrusted input. The taint analysis revealed four high-severity flows with unsanitized paths, indicating potential vulnerabilities where user input could be processed without proper validation. While there are no currently unpatched CVEs, the plugin has a history of two known vulnerabilities, including a past critical one related to missing authorization and XSS. This historical pattern, combined with the high-severity taint flows, suggests a recurring potential for input validation and authorization issues.

In conclusion, while the plugin demonstrates good output sanitization and has a contained attack surface, the use of `unserialize` and the identified high-severity taint flows are critical concerns. The historical vulnerability data further reinforces the need for vigilance. Prioritizing the remediation of these specific code signals and taint flows is crucial for improving the plugin's overall security.

Key Concerns

  • Dangerous function: unserialize detected
  • High severity taint flows with unsanitized paths (4)
  • SQL queries: 50% not using prepared statements
  • Vulnerability history: 1 critical CVE in past
Vulnerabilities
2

Custom Contact Forms Security Vulnerabilities

CVEs by Year

1 CVE in 2012
2012
1 CVE in 2014
2014
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
1

2 total CVEs

WF-6d3bfb78-0538-4627-a206-8d8b5b200bc7-custom-contact-formscritical · 9.8Missing Authorization

Custom Contact Forms <= 5.1.0.3 - Missing Authorization

Sep 17, 2014 Patched in 5.1.0.4 (3415d)
WF-a5454bc2-0581-45bd-8dbc-5a2819202690-custom-contact-formsmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Custom Contact Forms Plugin <= 5.1.0.2 - Reflected Cross-Site Scripting

May 11, 2012 Patched in 5.1.0.3 (4274d)
Code Analysis
Analyzed Mar 16, 2026

Custom Contact Forms Code Analysis

Dangerous Functions
2
Raw SQL Queries
3
3 prepared
Unescaped Output
46
646 escaped
Nonce Checks
5
Capability Checks
4
File Operations
3
External Requests
2
Bundled Libraries
0

Dangerous Functions Found

unserialize$fields = unserialize( $form->form_fields );classes\class-ccf-upgrader.php:138
unserialize$choices = unserialize( $field->field_options );classes\class-ccf-upgrader.php:179

SQL Query Safety

50% prepared6 total queries

Output Escaping

93% escaped692 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

18 flows4 with unsanitized paths
single_line_text (classes\class-ccf-field-renderer.php:26)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Custom Contact Forms Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[ccf_form] classes\class-ccf-form-renderer.php:25
WordPress Hooks 80
actionadmin_noticesclasses\class-ccf-ads.php:18
actioninitclasses\class-ccf-ads.php:19
actionin_admin_footerclasses\class-ccf-ads.php:20
actioninitclasses\class-ccf-choice-cpt.php:19
actionrest_api_initclasses\class-ccf-custom-contact-forms.php:18
actionplugins_loadedclasses\class-ccf-custom-contact-forms.php:19
actionplugins_loadedclasses\class-ccf-custom-contact-forms.php:20
filterplugin_action_linksclasses\class-ccf-custom-contact-forms.php:21
actionadmin_noticesclasses\class-ccf-custom-contact-forms.php:22
actionregistered_post_typeclasses\class-ccf-custom-contact-forms.php:23
actionadmin_initclasses\class-ccf-custom-contact-forms.php:24
actionshutdownclasses\class-ccf-custom-contact-forms.php:56
actionwp_enqueue_scriptsclasses\class-ccf-custom-contact-forms.php:145
actionadmin_enqueue_scriptsclasses\class-ccf-custom-contact-forms.php:146
actionadmin_initclasses\class-ccf-export.php:26
filterexport_argsclasses\class-ccf-export.php:27
actionrss2_headclasses\class-ccf-export.php:28
actionimport_endclasses\class-ccf-export.php:29
actionwp_import_insert_postclasses\class-ccf-export.php:30
actionadmin_menuclasses\class-ccf-export.php:31
actionall_admin_noticesclasses\class-ccf-export.php:32
actionexport_filtersclasses\class-ccf-export.php:33
filterqueryclasses\class-ccf-export.php:225
actioninitclasses\class-ccf-field-cpt.php:19
actioninitclasses\class-ccf-form-cpt.php:27
filtermanage_edit-ccf_form_columnsclasses\class-ccf-form-cpt.php:28
actionmanage_ccf_form_posts_custom_columnclasses\class-ccf-form-cpt.php:29
actionadmin_enqueue_scriptsclasses\class-ccf-form-cpt.php:30
actioncustomize_controls_enqueue_scriptsclasses\class-ccf-form-cpt.php:31
actionedit_form_after_titleclasses\class-ccf-form-cpt.php:32
actionadd_meta_boxesclasses\class-ccf-form-cpt.php:33
filterpost_row_actionsclasses\class-ccf-form-cpt.php:34
filterget_the_excerptclasses\class-ccf-form-cpt.php:35
filterscreen_settingsclasses\class-ccf-form-cpt.php:36
actionbefore_delete_postclasses\class-ccf-form-cpt.php:37
filterwp_link_query_argsclasses\class-ccf-form-cpt.php:38
actionadmin_initclasses\class-ccf-form-cpt.php:39
actioninitclasses\class-ccf-form-handler.php:576
actioninitclasses\class-ccf-form-handler.php:577
actionmedia_buttonsclasses\class-ccf-form-manager.php:17
actionadmin_footerclasses\class-ccf-form-manager.php:18
actioncustomize_controls_print_footer_scriptsclasses\class-ccf-form-manager.php:19
actionadmin_enqueue_scriptsclasses\class-ccf-form-manager.php:20
actioncustomize_controls_enqueue_scriptsclasses\class-ccf-form-manager.php:21
filtermce_cssclasses\class-ccf-form-manager.php:22
actionwp_enqueue_scriptsclasses\class-ccf-form-renderer.php:26
actionadmin_menuclasses\class-ccf-settings.php:18
actionadmin_initclasses\class-ccf-settings.php:19
actionadmin_enqueue_scriptsclasses\class-ccf-settings.php:20
actioninitclasses\class-ccf-submission-cpt.php:12
actionbefore_delete_postclasses\class-ccf-submission-cpt.php:13
actionadmin_initclasses\class-ccf-upgrader.php:11
actionadmin_noticesclasses\class-ccf-upgrader.php:12
actionadmin_noticesclasses\class-ccf-upgrader.php:288
actionwidgets_initcustom-contact-forms.php:60
actioninitwp-api\core\rest-api.php:61
actionxmlrpc_rsd_apiswp-api\core\wp-includes\filters.php:12
actionwp_headwp-api\core\wp-includes\filters.php:13
actiontemplate_redirectwp-api\core\wp-includes\filters.php:14
actionauth_cookie_malformedwp-api\core\wp-includes\filters.php:15
actionauth_cookie_expiredwp-api\core\wp-includes\filters.php:16
actionauth_cookie_bad_usernamewp-api\core\wp-includes\filters.php:17
actionauth_cookie_bad_hashwp-api\core\wp-includes\filters.php:18
actionauth_cookie_validwp-api\core\wp-includes\filters.php:19
filterrest_authentication_errorswp-api\core\wp-includes\filters.php:20
actioninitwp-api\core\wp-includes\filters.php:23
actionrest_api_initwp-api\core\wp-includes\filters.php:24
actionparse_requestwp-api\core\wp-includes\filters.php:25
actiondeprecated_function_runwp-api\core\wp-includes\rest-api\rest-functions.php:103
filterdeprecated_function_trigger_errorwp-api\core\wp-includes\rest-api\rest-functions.php:104
actiondeprecated_argument_runwp-api\core\wp-includes\rest-api\rest-functions.php:105
filterdeprecated_argument_trigger_errorwp-api\core\wp-includes\rest-api\rest-functions.php:106
filterrest_pre_serve_requestwp-api\core\wp-includes\rest-api\rest-functions.php:109
filterrest_post_dispatchwp-api\core\wp-includes\rest-api\rest-functions.php:110
filterrest_pre_dispatchwp-api\core\wp-includes\rest-api\rest-functions.php:112
actionwp_enqueue_scriptswp-api\extras.php:11
actionadmin_enqueue_scriptswp-api\extras.php:12
filterinitwp-api\plugin.php:87
actioninitwp-api\plugin.php:88
actionrest_api_initwp-api\plugin.php:89
Maintenance & Trust

Custom Contact Forms Maintenance & Trust

Maintenance Signals

WordPress version tested4.8.28
Last updatedNov 28, 2017
PHP min version
Downloads1.3M

Community Trust

Rating70/100
Number of ratings171
Active installs7K
Alternatives

Custom Contact Forms Alternatives

A Capture Contact Form (and tab) by AWebVoice.com

A Capture Contact Form (and tab) by AWebVoice.com

a-lead-capture-contact-form-and-tab-button-by-awebvoicecom

A
85

Get a contact form and a contact button. Capture your visitors and turn them into customers!

10 No CVEs
SureForms – Contact Form, Payment Form & Other Custom Form Builder

SureForms – Contact Form, Payment Form & Other Custom Form Builder

sureforms

A
88

The most beginner-friendly, AI Form Builder for WordPress to create contact forms, payment forms & other custom forms with advanced features, with &hellip;

400K 16 CVEs
فرم ساز فرم افزار

فرم ساز فرم افزار

formafzar

A
91

ابزاری آسان برای ساخت فرم‌های آنلاین قدرتمند بصورت حرفه‌ای، به آسانی و کمتر از چند دقیقه فرم خودتون رو بسازید و به اشتراک بگذارید

600 1 CVE
Ajax Contact Forms (ACF SP)

Ajax Contact Forms (ACF SP)

ajax-contact-forms

A
85

Simple and friendly contact form plugin with button widget.

10 No CVEs
Corymbus Forms

Corymbus Forms

corymbus-forms

A
85

Corymbus Forms provides the [corymbus-forms] shortcode which lets you easily embed in your website a web form/page published from the Corymbus CRM.

10 No CVEs
Developer Profile

Custom Contact Forms Developer Profile

Taylor Lovett

9 plugins · 8K total installs

71
trust score
Avg Security Score
88/100
Avg Patch Time
3845 days
View full developer profile
Detection Fingerprints

How We Detect Custom Contact Forms

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/custom-contact-forms/assets/css/frontend.css/wp-content/plugins/custom-contact-forms/assets/css/frontend.min.css/wp-content/plugins/custom-contact-forms/assets/js/frontend.js/wp-content/plugins/custom-contact-forms/assets/js/frontend.min.js
Script Paths
/wp-content/plugins/custom-contact-forms/assets/js/frontend.js/wp-content/plugins/custom-contact-forms/assets/js/frontend.min.js
Version Parameters
custom-contact-forms/assets/css/frontend.css?ver=custom-contact-forms/assets/js/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
ccf-formccf_widget
Data Attributes
data-ccf-form-id
JS Globals
ccf_data
REST Endpoints
/wp-json/ccf/v1/forms/wp-json/ccf/v1/form//wp-json/ccf/v1/submissions/wp-json/ccf/v1/submission/
Shortcode Output
[custom-contact-form[ccf_form
FAQ

Frequently Asked Questions about Custom Contact Forms