WP-Safety

Easy Form Security & Risk Analysis

wordpress.org/plugins/easy-form

The best WordPress form builder plugin. Create contact forms, subscription forms, payment forms, or any custom forms in minutes.

100 active installs v2.8.0 PHP 7.0+ WP 5.0+ Updated Feb 18, 2026
contact-formcustom-formformform-builderforms
95
A · Safe
CVEs total4
Unpatched0
Last CVENov 28, 2025
Plugin page Download
Safety Verdict

Is Easy Form Safe to Use in 2026?

Generally Safe

Score 95/100

Easy Form has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Nov 28, 2025Updated 1mo ago
Risk Assessment

The "easy-form" plugin v2.8.0 presents a mixed security posture. On the positive side, it demonstrates good practices in SQL query handling with a high percentage of prepared statements and a substantial number of nonce and capability checks. The fact that there are no currently unpatched CVEs is also a strong positive indicator. However, significant concerns arise from the static analysis. A large attack surface is exposed, with 9 out of 12 entry points lacking authentication checks. Furthermore, the taint analysis reveals 10 high-severity flows with unsanitized paths, indicating potential vulnerabilities if input is not handled carefully. The plugin's history of medium-severity vulnerabilities, including Missing Authorization, CSRF, and XSS, coupled with the current taint analysis findings, suggests a recurring pattern of input validation and authorization weaknesses that require careful attention. While the plugin shows effort in some security areas, the high number of unprotected entry points and the identified high-severity taint flows significantly elevate the risk profile.

Key Concerns

  • High number of unprotected AJAX handlers
  • 10 high severity taint flows with unsanitized paths
  • History of medium severity vulnerabilities (Missing Auth, CSRF, XSS)
  • Potentially vulnerable file operations
  • Lower output escaping percentage (76%)
Vulnerabilities
4

Easy Form Security Vulnerabilities

CVEs by Year

2 CVEs in 2023
2023
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
4

4 total CVEs

CVE-2025-66117medium · 5.3Missing Authorization

Easy Form <= 2.7.8 - Missing Authorization

Nov 28, 2025 Patched in 2.7.9 (23d)
CVE-2025-27285medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Easy Form by AYS <= 2.6.9 - Reflected Cross-Site Scripting

Feb 21, 2025 Patched in 2.7.0 (21d)
WF-ee595f48-b72f-4569-a248-7dbd0b9152ae-easy-formmedium · 4.3Cross-Site Request Forgery (CSRF)

Easy Form by AYS <= 1.3.8 - Cross-Site Request Forgery

Sep 7, 2023 Patched in 1.3.9 (138d)
CVE-2023-32498medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Easy Form by AYS <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

May 9, 2023 Patched in 1.2.1 (259d)
Code Analysis
Analyzed Mar 16, 2026

Easy Form Code Analysis

Dangerous Functions
0
Raw SQL Queries
15
265 prepared
Unescaped Output
1220
3806 escaped
Nonce Checks
25
Capability Checks
17
File Operations
6
External Requests
1
Bundled Libraries
2

Bundled Libraries

DataTablesSelect2

SQL Query Safety

95% prepared280 total queries

Output Escaping

76% escaped5026 total outputs
Data Flows
11 unsanitized

Data Flow Analysis

22 flows11 with unsanitized paths
deactivate_plugin_option (admin\class-ays-form-maker-admin.php:1001)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
9 unprotected

Easy Form Attack Surface

Entry Points12
Unprotected9

AJAX Handlers 9

authwp_ajax_ays_form_admin_ajaxincludes\class-ays-form-maker.php:250
authwp_ajax_ays_form_install_pluginincludes\class-ays-form-maker.php:254
noprivwp_ajax_ays_form_install_pluginincludes\class-ays-form-maker.php:255
authwp_ajax_ays_form_activate_pluginincludes\class-ays-form-maker.php:257
noprivwp_ajax_ays_form_activate_pluginincludes\class-ays-form-maker.php:258
authwp_ajax_ays_form_dismiss_buttonincludes\class-ays-form-maker.php:279
noprivwp_ajax_ays_form_dismiss_buttonincludes\class-ays-form-maker.php:280
authwp_ajax_ays_form_ajaxincludes\class-ays-form-maker.php:309
noprivwp_ajax_ays_form_ajaxincludes\class-ays-form-maker.php:310

Shortcodes 3

[ays_form] public\class-ays-form-maker-public.php:80
[ays_form_popup] public\class-ays-form-maker-public.php:81
[ays_form_most_popular] public\partials\class-ays-form-maker-most-popular-shortcode.php:18
WordPress Hooks 58
filterset-screen-optionadmin\class-ays-form-maker-admin.php:137
filterparent_fileadmin\class-ays-form-maker-admin.php:593
actionadmin_noticesadmin\class-ays-form-maker-admin.php:3236
actionplugins_loadedeasy-form.php:88
actionadmin_noticeseasy-form.php:109
actionenqueue_block_editor_assetsform\ays-form-maker-block.php:147
actioninitform\ays-form-maker-block.php:148
actioninitincludes\class-ays-form-maker.php:211
actionadmin_enqueue_scriptsincludes\class-ays-form-maker.php:226
actionadmin_enqueue_scriptsincludes\class-ays-form-maker.php:227
actionadmin_enqueue_scriptsincludes\class-ays-form-maker.php:228
actionadmin_menuincludes\class-ays-form-maker.php:231
actionadmin_menuincludes\class-ays-form-maker.php:232
actionadmin_menuincludes\class-ays-form-maker.php:233
actionadmin_menuincludes\class-ays-form-maker.php:234
actionadmin_menuincludes\class-ays-form-maker.php:237
actionadmin_menuincludes\class-ays-form-maker.php:240
actionadmin_menuincludes\class-ays-form-maker.php:244
actionadmin_menuincludes\class-ays-form-maker.php:245
actionadmin_menuincludes\class-ays-form-maker.php:246
actionadmin_menuincludes\class-ays-form-maker.php:247
actionadmin_enqueue_scriptsincludes\class-ays-form-maker.php:265
actionin_admin_footerincludes\class-ays-form-maker.php:267
actionelementor/widgets/widgets_registeredincludes\class-ays-form-maker.php:269
actionadmin_noticesincludes\class-ays-form-maker.php:277
actioncurrent_screenincludes\class-ays-form-maker.php:282
actionwp_enqueue_scriptsincludes\class-ays-form-maker.php:304
actionays_fm_form_page_integrationsincludes\class-ays-form-maker.php:326
actionays_fm_settings_page_integrationsincludes\class-ays-form-maker.php:329
filterays_fm_settings_page_integrations_contentsincludes\class-ays-form-maker.php:333
filterays_fm_settings_page_integrations_contentsincludes\class-ays-form-maker.php:337
filterays_fm_settings_page_integrations_contentsincludes\class-ays-form-maker.php:341
filterays_fm_settings_page_integrations_contentsincludes\class-ays-form-maker.php:345
filterays_fm_settings_page_integrations_contentsincludes\class-ays-form-maker.php:350
filterays_fm_settings_page_integrations_contentsincludes\class-ays-form-maker.php:355
filterays_fm_settings_page_integrations_contentsincludes\class-ays-form-maker.php:360
filterays_fm_settings_page_integrations_contentsincludes\class-ays-form-maker.php:365
filterays_fm_settings_page_integrations_contentsincludes\class-ays-form-maker.php:370
filterays_fm_settings_page_integrations_contentsincludes\class-ays-form-maker.php:375
filterays_fm_settings_page_integrations_contentsincludes\class-ays-form-maker.php:380
filterays_fm_settings_page_integrations_contentsincludes\class-ays-form-maker.php:384
filterays_fm_settings_page_integrations_contentsincludes\class-ays-form-maker.php:388
filterays_fm_settings_page_integrations_contentsincludes\class-ays-form-maker.php:392
filterays_fm_settings_page_integrations_contentsincludes\class-ays-form-maker.php:396
filterays_fm_settings_page_integrations_contentsincludes\class-ays-form-maker.php:400
filterays_fm_settings_page_integrations_savesincludes\class-ays-form-maker.php:401
filterays_fm_form_page_integrations_contentsincludes\class-ays-form-maker.php:404
filterays_fm_form_page_integrations_optionsincludes\class-ays-form-maker.php:405
filterays_fm_form_page_integrations_savesincludes\class-ays-form-maker.php:406
filterays_fm_front_end_integrations_optionsincludes\class-ays-form-maker.php:409
filterays_fm_front_end_recaptchaincludes\class-ays-form-maker.php:410
actioninitincludes\class-form-maker-custom-post-type.php:31
actionadmin_noticesincludes\lists\class-ays-form-maker-each-entry-list-table.php:13
filterdefault_hidden_columnsincludes\lists\class-ays-form-maker-each-entry-list-table.php:14
actionadmin_noticesincludes\lists\class-ays-form-maker-entries-list-table.php:15
actionadmin_noticesincludes\lists\class-ays-form-maker-form-categories-list-table.php:41
actionadmin_noticesincludes\lists\class-ays-form-maker-forms-list-table.php:52
filterdefault_hidden_columnsincludes\lists\class-ays-form-maker-forms-list-table.php:53
Maintenance & Trust

Easy Form Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedFeb 18, 2026
PHP min version7.0
Downloads12K

Community Trust

Rating84/100
Number of ratings5
Active installs100
Alternatives

Easy Form Alternatives

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

A
90

The best WordPress contact form plugin. Drag & Drop form builder to create beautiful contact forms, payment forms, & other custom forms.

6.0M 13 CVEs
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

fluentform

B
82

Get a fast contact form plugin. Create advanced forms using drag and drop form builder with all smart features.

600K 27 CVEs
SureForms – Contact Form, Payment Form & Other Custom Form Builder

SureForms – Contact Form, Payment Form & Other Custom Form Builder

sureforms

A
88

The most beginner-friendly, AI Form Builder for WordPress to create contact forms, payment forms & other custom forms with advanced features, with &hellip;

400K 15 CVEs
Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder

Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder

everest-forms

B
84

The best WordPress form builder. Create contact forms, payment forms, conversational forms, custom forms, surveys, & quizzes using drag and drop.

100K 12 CVEs
Ultra Addons for Contact Form 7

Ultra Addons for Contact Form 7

ultimate-addons-for-contact-form-7

B
82

50+ Essential Addons for Contact Form 7 - Conditional Fields, Multi Step, Redirection, Columns, WooCommerce, Mailchimp & more

60K 13 CVEs
Developer Profile

Easy Form Developer Profile

Ays Pro

18 plugins · 111K total installs

74
trust score
Avg Security Score
93/100
Avg Patch Time
216 days
View full developer profile
Detection Fingerprints

How We Detect Easy Form

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/easy-form/admin/css/admin-style.css/wp-content/plugins/easy-form/admin/js/admin-script.js/wp-content/plugins/easy-form/form/css/public-style.css/wp-content/plugins/easy-form/form/js/public-script.js
Script Paths
/wp-content/plugins/easy-form/admin/js/admin-script.js/wp-content/plugins/easy-form/form/js/public-script.js
Version Parameters
easy-form/admin/css/admin-style.css?ver=easy-form/admin/js/admin-script.js?ver=easy-form/form/css/public-style.css?ver=easy-form/form/js/public-script.js?ver=

HTML / DOM Fingerprints

CSS Classes
ays-notice-bannerays-form-logo-container-upgradeays-form-upgrade-containerform-maker-upgrade-to-proays-form-logo-container-one-time-textays_faays_fa_ellipsis_hays-btn
Data Attributes
data-expanded
JS Globals
AYS_FORM_MAKER_VERSIONAYS_FORM_MAKER_NAME_VERSIONAYS_FORM_MAKER_NAMEAYS_FORM_MAKER_DB_PREFIXAYS_FORM_MAKER_CLASS_PREFIXAYS_FORM_MAKER_NAME_PREFIX+7 more
FAQ

Frequently Asked Questions about Easy Form