WP-Safety

Easy Form Builder by WhiteStudio — Drag & Drop Form Builder Security & Risk Analysis

wordpress.org/plugins/easy-form-builder

Create flexible contact forms, survey forms, payment forms, and user authentication forms using a drag-and-drop form builder plugin for WordPress.

2K active installs v4.0.4 PHP 7.0+ WP 5.0+ Updated Apr 4, 2026
form-builderform-pluginmulti-step-formpayment-formsurvey-form
86
A · Safe
CVEs total7
Unpatched0
Last CVEFeb 13, 2026
Plugin page Download
Safety Verdict

Is Easy Form Builder by WhiteStudio — Drag & Drop Form Builder Safe to Use in 2026?

Generally Safe

Score 86/100

Easy Form Builder by WhiteStudio — Drag & Drop Form Builder has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

7 known CVEsLast CVE: Feb 13, 2026Updated 1mo ago
Risk Assessment

The "easy-form-builder" plugin version 4.0.0 exhibits a mixed security posture. While it demonstrates good practices such as a significant percentage of SQL queries using prepared statements, strong output escaping, and ample nonce and capability checks, several concerning aspects warrant attention. The static analysis reveals the presence of dangerous functions (preg_replace(/e)) and a high number of flows with unsanitized paths, including one of high severity, indicating potential vulnerabilities in input handling. The plugin's history of known CVEs is substantial, with a critical unpatched vulnerability being a major red flag. The prevalence of past issues related to missing authorization, SQL injection, and XSS suggests recurring security weaknesses that have not been fully eradicated.

Key Concerns

  • Unpatched critical CVE
  • High severity taint flow with unsanitized path
  • Presence of dangerous function: preg_replace(/e)
  • Multiple flows with unsanitized paths
  • History of 7 known CVEs
  • Common vulnerability types: Missing Auth, SQLi, XSS
Vulnerabilities
7 published

Easy Form Builder by WhiteStudio — Drag & Drop Form Builder Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2024
2024
3 CVEs in 2025
2025
2 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
1
High
1
Medium
5

7 total CVEs

CVE-2025-14067medium · 5.3Missing Authorization

Easy Form Builder <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Response Data Exposure

Feb 13, 2026 Patched in 3.9.4 (1d)
CVE-2026-22472medium · 4.3Missing Authorization

Easy Form Builder <= 3.9.6 - Missing Authorization

Jan 6, 2026 Patched in 4.0.0 (71d)
CVE-2025-67577medium · 5.3Missing Authorization

Easy Form Builder <= 3.8.20 - Missing Authorization

Dec 15, 2025 Patched in 3.8.21 (6d)
CVE-2025-54678high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Easy Form Builder <= 3.8.15 - Unauthenticated SQL Injection

Aug 7, 2025 Patched in 3.8.16 (5d)
CVE-2024-12112medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Easy Form Builder <= 3.8.8 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

Jan 7, 2025 Patched in 3.8.9 (1d)
CVE-2024-30535critical · 9.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Easy Form Builder <= 3.7.4 - Authenticated (Contributor+) SQL Injection

Mar 29, 2024 Patched in 3.7.5 (6d)
CVE-2022-3906medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Easy Form Builder <= 3.3.8 - Authenticated (Administrator+) Stored Cross-Site Scripting

Nov 16, 2022 Patched in 3.4.0 (433d)
Version History

Easy Form Builder by WhiteStudio — Drag & Drop Form Builder Release Timeline

v4.0.4Current
v4.0.3
v4.0.2
v4.0.1
v4.0.0
v3.9.61 CVE
CVE-2026-22472
v3.9.51 CVE
CVE-2026-22472
v3.9.41 CVE
CVE-2026-22472
v3.9.32 CVEs
CVE-2026-22472 CVE-2025-14067
v3.9.22 CVEs
CVE-2026-22472 CVE-2025-14067
v3.9.12 CVEs
CVE-2026-22472 CVE-2025-14067
v3.92 CVEs
CVE-2026-22472 CVE-2025-14067
v3.8.222 CVEs
CVE-2026-22472 CVE-2025-14067
v3.8.212 CVEs
CVE-2026-22472 CVE-2025-14067
v3.8.203 CVEs
CVE-2025-67577 CVE-2026-22472 CVE-2025-14067
v3.8.193 CVEs
CVE-2025-67577 CVE-2026-22472 CVE-2025-14067
v3.8.183 CVEs
CVE-2025-67577 CVE-2026-22472 CVE-2025-14067
v3.8.173 CVEs
CVE-2025-67577 CVE-2026-22472 CVE-2025-14067
v3.8.163 CVEs
CVE-2025-67577 CVE-2026-22472 CVE-2025-14067
v3.8.154 CVEs
CVE-2025-54678 CVE-2025-67577 CVE-2026-22472 +1 more
Code Analysis
Analyzed Mar 16, 2026

Easy Form Builder by WhiteStudio — Drag & Drop Form Builder Code Analysis

Dangerous Functions
2
Raw SQL Queries
22
51 prepared
Unescaped Output
48
357 escaped
Nonce Checks
24
Capability Checks
5
File Operations
17
External Requests
7
Bundled Libraries
0

Dangerous Functions Found

preg_replace(/e)preg_replace('/eincludes\admin\class-Emsfb-admin.php:856
preg_replace(/e)preg_replace('/eincludes\class-email-handler.php:709

SQL Query Safety

70% prepared73 total queries

Output Escaping

88% escaped405 total outputs
Data Flows · Security
3 unsanitized

Data Flow Analysis

10 flows3 with unsanitized paths
addon_add_efb (includes\functions.php:1769)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Easy Form Builder by WhiteStudio — Drag & Drop Form Builder Attack Surface

Entry Points28
Unprotected0

AJAX Handlers 23

authwp_ajax_remove_id_Emsfbincludes\admin\class-Emsfb-admin.php:31
authwp_ajax_remove_message_id_Emsfbincludes\admin\class-Emsfb-admin.php:32
authwp_ajax_get_form_id_Emsfbincludes\admin\class-Emsfb-admin.php:33
authwp_ajax_get_messages_id_Emsfbincludes\admin\class-Emsfb-admin.php:34
authwp_ajax_get_all_response_id_Emsfbincludes\admin\class-Emsfb-admin.php:35
authwp_ajax_update_form_Emsfbincludes\admin\class-Emsfb-admin.php:36
authwp_ajax_update_message_state_Emsfbincludes\admin\class-Emsfb-admin.php:37
authwp_ajax_set_replyMessage_id_Emsfbincludes\admin\class-Emsfb-admin.php:38
authwp_ajax_set_settings_Emsfbincludes\admin\class-Emsfb-admin.php:39
authwp_ajax_get_track_id_Emsfbincludes\admin\class-Emsfb-admin.php:40
authwp_ajax_clear_garbeg_Emsfbincludes\admin\class-Emsfb-admin.php:41
authwp_ajax_check_email_server_efbincludes\admin\class-Emsfb-admin.php:42
authwp_ajax_add_addons_Emsfbincludes\admin\class-Emsfb-admin.php:43
authwp_ajax_remove_addons_Emsfbincludes\admin\class-Emsfb-admin.php:44
authwp_ajax_update_file_Emsfbincludes\admin\class-Emsfb-admin.php:45
authwp_ajax_send_sms_pnl_efbincludes\admin\class-Emsfb-admin.php:46
authwp_ajax_dup_efbincludes\admin\class-Emsfb-admin.php:47
authwp_ajax_remove_messages_Emsfbincludes\admin\class-Emsfb-admin.php:49
authwp_ajax_read_list_Emsfbincludes\admin\class-Emsfb-admin.php:50
authwp_ajax_heartbeat_Emsfbincludes\admin\class-Emsfb-admin.php:51
authwp_ajax_report_problem_Emsfbincludes\admin\class-Emsfb-admin.php:52
authwp_ajax_efb_save_plan_selectionincludes\admin\class-Emsfb-admin.php:53
authwp_ajax_add_form_Emsfbincludes\admin\class-Emsfb-create.php:32

REST API Routes 3

GET/wp-json/Emsfb/v1test/(?P<name>[a-zA-Z0-9_]+)/(?P<id>[a-zA-Z0-9_]+)includes\class-Emsfb-webhook.php:18
GET/wp-json/efb/v1/formsincludes\page-builders\gutenberg\class-Emsfb-gutenberg-block.php:87
GET/wp-json/efb/v1/preview/(?P<id>[\w-]+)includes\page-builders\gutenberg\class-Emsfb-gutenberg-block.php:93

Shortcodes 2

[efb_vc_form] includes\page-builders\visual-composer\class-Emsfb-visual-composer.php:27
[efb_wpbakery_form] includes\page-builders\wpbakery\class-Emsfb-wpbakery.php:90
WordPress Hooks 53
actionemsfb_check_file_access_after_activationemsfb.php:76
actionadmin_menuincludes\admin\class-Emsfb-addon.php:25
actionadmin_enqueue_scriptsincludes\admin\class-Emsfb-admin.php:24
actionadmin_menuincludes\admin\class-Emsfb-admin.php:25
actionefb_loading_cardincludes\admin\class-Emsfb-admin.php:48
actioncreate_temporary_links_table_Emsfbincludes\admin\class-Emsfb-admin.php:55
actionadmin_noticesincludes\admin\class-Emsfb-admin.php:57
actionadmin_menuincludes\admin\class-Emsfb-create.php:29
actionadmin_initincludes\admin\class-Emsfb-create.php:30
actionfun_Emsfb_creatorincludes\admin\class-Emsfb-create.php:31
filterwp_mail_content_typeincludes\class-email-handler.php:143
actionwp_mail_failedincludes\class-email-handler.php:163
actionwp_headincludes\class-Emsfb-formbuilder.php:2080
actionwp_footerincludes\class-Emsfb-formbuilder.php:2106
actionwp_headincludes\class-Emsfb-formbuilder.php:3785
filterthe_generatorincludes\class-Emsfb-formbuilder.php:3787
actionrest_api_initincludes\class-Emsfb-webhook.php:16
actionsave_postincludes\class-Emsfb-widgets-helper.php:25
actiondeleted_postincludes\class-Emsfb-widgets-helper.php:26
actionactivated_pluginincludes\class-Emsfb.php:36
actiondeactivated_pluginincludes\class-Emsfb.php:37
actionemsfb_update_cache_plugins_listincludes\class-Emsfb.php:39
filteremsfb_get_server_hostincludes\class-Emsfb.php:41
actionemsfb_file_access_check_after_activationincludes\class-Emsfb.php:43
actionupgrader_process_completeincludes\class-Emsfb.php:45
actionplugins_loadedincludes\class-Emsfb.php:47
actionelementor/loadedincludes\class-Emsfb.php:176
actionvc_before_initincludes\class-Emsfb.php:187
actionvcv:apiincludes\class-Emsfb.php:197
actionadmin_enqueue_scriptsincludes\class-Emsfb.php:605
actionadmin_footerincludes\class-Emsfb.php:611
actionadmin_enqueue_scriptsincludes\class-Emsfb.php:697
actionadmin_footerincludes\class-Emsfb.php:703
actionupdate_option_emsfb_settingsincludes\functions.php:49
actionload-index.phpincludes\functions.php:56
actionemsfb_download_addons_cronincludes\functions.php:58
filterefb_admin_localize_varsincludes\integrations\class-Emsfb-shield-silentcaptcha.php:12
filterefb_submit_bot_decisionincludes\integrations\class-Emsfb-shield-silentcaptcha.php:13
actionelementor/widgets/registerincludes\page-builders\elementor\class-Emsfb-elementor.php:37
actionelementor/elements/categories_registeredincludes\page-builders\elementor\class-Emsfb-elementor.php:39
actionelementor/editor/after_enqueue_stylesincludes\page-builders\elementor\class-Emsfb-elementor.php:41
actioninitincludes\page-builders\gutenberg\class-Emsfb-gutenberg-block.php:26
actionrest_api_initincludes\page-builders\gutenberg\class-Emsfb-gutenberg-block.php:27
actionenqueue_block_editor_assetsincludes\page-builders\gutenberg\class-Emsfb-gutenberg-block.php:28
actionvcv:apiincludes\page-builders\visual-composer\class-Emsfb-visual-composer.php:29
filtervcv:helpers:localizations:i18nincludes\page-builders\visual-composer\class-Emsfb-visual-composer.php:31
actionadmin_enqueue_scriptsincludes\page-builders\visual-composer\class-Emsfb-visual-composer.php:33
actionwidgets_initincludes\page-builders\visual-composer\class-Emsfb-visual-composer.php:35
actionadmin_footerincludes\page-builders\visual-composer\class-Emsfb-visual-composer.php:37
actionwp_footerincludes\page-builders\visual-composer\class-Emsfb-visual-composer.php:38
actionvc_before_initincludes\page-builders\wpbakery\class-Emsfb-wpbakery.php:34
actionvc_load_iframe_jscssincludes\page-builders\wpbakery\class-Emsfb-wpbakery.php:35
actionadmin_enqueue_scriptsincludes\page-builders\wpbakery\class-Emsfb-wpbakery.php:36

Scheduled Events 2

emsfb_check_file_access_after_activation
emsfb_download_addons_cron
Maintenance & Trust

Easy Form Builder by WhiteStudio — Drag & Drop Form Builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 4, 2026
PHP min version7.0
Downloads100K

Community Trust

Rating100/100
Number of ratings68
Active installs2K
Alternatives

Easy Form Builder by WhiteStudio — Drag & Drop Form Builder Alternatives

NEX-Forms – Ultimate Forms Plugin for WordPress

NEX-Forms – Ultimate Forms Plugin for WordPress

nex-forms-express-wp-form-builder

B
76

Build beautiful responsive forms for WordPress. Contact forms, surveys, quizzes, booking forms, payments, popups & more with NEX-Forms...

7K 31 CVEs
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

A
88

The best WordPress contact form plugin. Drag & Drop form builder to create beautiful contact forms, payment forms, & other custom forms.

6.0M 16 CVEs
Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Forminator Forms – Contact Form, Payment Form & Custom Form Builder

forminator

B
76

Best WordPress form builder plugin. Create contact forms, payment forms & order forms with 1000+ integrations.

600K 41 CVEs
MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

metform

A
87

The most popular Elementor forms builder to create WordPress forms like contact forms, booking forms, feedback form, survey forms, application forms a &hellip;

600K 26 CVEs
SureForms – Contact Form, Payment Form & Other Custom Form Builder

SureForms – Contact Form, Payment Form & Other Custom Form Builder

sureforms

A
88

The most beginner-friendly AI Form Builder for WordPress. Create contact, payment, quiz & custom forms with advanced features in minutes.

500K 16 CVEs
Developer Profile

Easy Form Builder by WhiteStudio — Drag & Drop Form Builder Developer Profile

hassantafreshi

2 plugins · 2K total installs

83
trust score
Avg Security Score
93/100
Avg Patch Time
75 days
View full developer profile
Detection Fingerprints

How We Detect Easy Form Builder by WhiteStudio — Drag & Drop Form Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/easy-form-builder/assets/css/admin/datepicker.css/wp-content/plugins/easy-form-builder/assets/css/admin/dropzone.css/wp-content/plugins/easy-form-builder/assets/css/admin/select2.css/wp-content/plugins/easy-form-builder/assets/css/admin/style.css/wp-content/plugins/easy-form-builder/assets/css/admin/switchery.css/wp-content/plugins/easy-form-builder/assets/css/admin/timepicker.css/wp-content/plugins/easy-form-builder/assets/css/custom-style.css/wp-content/plugins/easy-form-builder/assets/css/frontend/datepicker.css+19 more
Script Paths
/wp-content/plugins/easy-form-builder/assets/js/admin/admin-script.js/wp-content/plugins/easy-form-builder/assets/js/admin/datepicker.js/wp-content/plugins/easy-form-builder/assets/js/admin/dropzone.js/wp-content/plugins/easy-form-builder/assets/js/admin/select2.js/wp-content/plugins/easy-form-builder/assets/js/admin/switchery.js/wp-content/plugins/easy-form-builder/assets/js/admin/timepicker.js+7 more
Version Parameters
/wp-content/plugins/easy-form-builder/assets/css/admin/datepicker.css?ver=/wp-content/plugins/easy-form-builder/assets/css/admin/dropzone.css?ver=/wp-content/plugins/easy-form-builder/assets/css/admin/select2.css?ver=/wp-content/plugins/easy-form-builder/assets/css/admin/style.css?ver=/wp-content/plugins/easy-form-builder/assets/css/admin/switchery.css?ver=/wp-content/plugins/easy-form-builder/assets/css/admin/timepicker.css?ver=/wp-content/plugins/easy-form-builder/assets/css/custom-style.css?ver=/wp-content/plugins/easy-form-builder/assets/css/frontend/datepicker.css?ver=/wp-content/plugins/easy-form-builder/assets/css/frontend/dropzone.css?ver=/wp-content/plugins/easy-form-builder/assets/css/frontend/select2.css?ver=/wp-content/plugins/easy-form-builder/assets/css/frontend/style.css?ver=/wp-content/plugins/easy-form-builder/assets/css/frontend/switchery.css?ver=/wp-content/plugins/easy-form-builder/assets/css/frontend/timepicker.css?ver=/wp-content/plugins/easy-form-builder/assets/js/admin/admin-script.js?ver=/wp-content/plugins/easy-form-builder/assets/js/admin/datepicker.js?ver=/wp-content/plugins/easy-form-builder/assets/js/admin/dropzone.js?ver=/wp-content/plugins/easy-form-builder/assets/js/admin/select2.js?ver=/wp-content/plugins/easy-form-builder/assets/js/admin/switchery.js?ver=/wp-content/plugins/easy-form-builder/assets/js/admin/timepicker.js?ver=/wp-content/plugins/easy-form-builder/assets/js/custom-script.js?ver=/wp-content/plugins/easy-form-builder/assets/js/frontend/datepicker.js?ver=/wp-content/plugins/easy-form-builder/assets/js/frontend/dropzone.js?ver=/wp-content/plugins/easy-form-builder/assets/js/frontend/select2.js?ver=/wp-content/plugins/easy-form-builder/assets/js/frontend/script.js?ver=/wp-content/plugins/easy-form-builder/assets/js/frontend/switchery.js?ver=/wp-content/plugins/easy-form-builder/assets/js/frontend/timepicker.js?ver=/wp-content/plugins/easy-form-builder/assets/vendors/js/jquery.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
emsfb-wrapperemsfb-dropzoneemsfb-dropzone-messageemsfb-dropzone-previewsemsfb-dropzone-dz-image-previewemsfb-dropzone-dz-error-messageemsfb-dropzone-dz-error-message-wrapperemsfb-dropzone-dz-scrollbar-content+52 more
HTML Comments
<!-- Easy Form Builder --><!-- END Easy Form Builder --><!-- Easy Form Builder Admin Script --><!-- Easy Form Builder Frontend Script -->
Data Attributes
data-emsfb-iddata-emsfb-field-iddata-emsfb-form-iddata-emsfb-unique-iddata-emsfb-droppabledata-emsfb-upload-url+24 more
JS Globals
EmsfbAdminScriptEmsfbFrontendScriptemsfb_script_dataemsfb_dataemsfb_admin_data
FAQ

Frequently Asked Questions about Easy Form Builder by WhiteStudio — Drag & Drop Form Builder