WP-Safety

Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) Security & Risk Analysis

wordpress.org/plugins/extensions-for-cf7

Easily save contact form data, apply conditional logic in the fields and redirect to any page after contact form submission.

6K active installs v3.4.3 PHP + WP 5.0+ Updated Feb 25, 2026
cf7contact-form-7contact-form-dbredirection
91
A · Safe
CVEs total5
Unpatched0
Last CVEJan 23, 2026
Download
Safety Verdict

Is Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) Safe to Use in 2026?

Generally Safe

Score 91/100

Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Jan 23, 2026Updated 1mo ago
Risk Assessment

The plugin "extensions-for-cf7" version 3.4.3 exhibits a mixed security posture. While it demonstrates good practices in SQL query preparedness (95%) and nonce checks (10), significant concerns arise from its attack surface and taint analysis. The presence of an unprotected AJAX handler is a direct entry point for potential unauthorized actions. Furthermore, the taint analysis reveals a concerning number of flows with unsanitized paths, with 6 identified as high severity, indicating potential vulnerabilities like path traversal or injection flaws that could be exploited. The plugin's history of 5 known CVEs, including high and medium severity issues such as Authorization Bypass, Path Traversal, SSRF, XSS, and CSRF, suggests a recurring pattern of vulnerabilities that require careful management. Although there are currently no unpatched CVEs, the past incidents indicate that the code base may have underlying weaknesses that are repeatedly exploited or discovered. The inclusion of `unserialize` without explicit context for its usage is also a potential risk if it processes untrusted input.

Key Concerns

  • Unprotected AJAX handler
  • High severity unsanitized taint flows
  • History of 5 known CVEs (2 high, 2 medium)
  • Use of unserialize function
Vulnerabilities
5

Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
1 CVE in 2024
2024
2 CVEs in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
2
Medium
2
Low
1

5 total CVEs

CVE-2026-24991medium · 4.3Authorization Bypass Through User-Controlled Key

Extensions For CF7 <= 3.4.0 - Authenticated (Contributor+) Insecure Direct Object Reference

Jan 23, 2026 Patched in 3.4.1 (11d)
CVE-2025-7645high · 8.1Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) <= 3.2.8 - Unauthenticated Arbitrary File Deletion Triggered via Admin Form Submission Deletion

Jul 21, 2025 Patched in 3.2.9 (1d)
CVE-2025-24695low · 3.8Server-Side Request Forgery (SSRF)

Extensions For CF7 <= 3.2.0 - Authenticated (Admin+) Sever-Side Request Forgery

Jan 24, 2025 Patched in 3.2.1 (5d)
CVE-2024-29102high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Extensions For CF7 <= 3.0.6 - Unauthenticated Stored Cross-Site Scripting

Mar 15, 2024 Patched in 3.0.7 (6d)
CVE-2023-23899medium · 4.3Cross-Site Request Forgery (CSRF)

Extensions For CF7 <= 2.0.8 - Cross-Site Request Forgery

Jan 20, 2023 Patched in 2.0.9 (368d)
Code Analysis
Analyzed Mar 16, 2026

Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) Code Analysis

Dangerous Functions
1
Raw SQL Queries
3
60 prepared
Unescaped Output
219
462 escaped
Nonce Checks
10
Capability Checks
19
File Operations
5
External Requests
11
Bundled Libraries
0

Dangerous Functions Found

unserialize$unserialized = @unserialize( $data, array( 'allowed_classes' => false ) );includes\helper-functions.php:171

SQL Query Safety

95% prepared63 total queries

Output Escaping

68% escaped681 total outputs
Data Flows
10 unsanitized

Data Flow Analysis

20 flows10 with unsanitized paths
extra_tablenav (admin\include\class.cf7-form-data-list.php:378)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) Attack Surface

Entry Points4
Unprotected1

AJAX Handlers 4

authwp_ajax_ht_cf7extensions_diagnostic_dataadmin\include\class-diagnostic-data.php:101
authwp_ajax_extcf7_mailchimp_mapadmin\include\class.cf7-mailchimp-map.php:32
authwp_ajax_extcf7_noticesadmin\include\class.notices.php:53
authwp_ajax_htcf7ext_view_formdataincludes\class-ajax-actions.php:31
WordPress Hooks 69
actionadmin_enqueue_scriptsadmin\admin-init.php:17
actionadmin_noticesadmin\include\class-diagnostic-data.php:97
actionplugins_loadedadmin\include\class-diagnostic-data.php:111
actionadmin_headadmin\include\class-diagnostic-data.php:121
actionadmin_footeradmin\include\class-diagnostic-data.php:122
actionwpcf7_initadmin\include\class.cf7-column.php:29
actionadmin_initadmin\include\class.cf7-column.php:30
filterwpcf7_contact_form_propertiesadmin\include\class.cf7-column.php:32
filterwpcf7_contact_form_propertiesadmin\include\class.cf7-column.php:33
filterwpcf7_contact_form_propertiesadmin\include\class.cf7-condition-setup.php:120
actionwpcf7_form_hidden_fieldsadmin\include\class.cf7-condition-setup.php:159
actionwpcf7_initadmin\include\class.cf7-conditional.php:32
actionadmin_initadmin\include\class.cf7-conditional.php:35
filterwpcf7_editor_panelsadmin\include\class.cf7-conditional.php:38
actionwpcf7_after_saveadmin\include\class.cf7-conditional.php:40
actioninitadmin\include\class.cf7-extensions-recomendation.php:20
filterwpcf7_editor_panelsadmin\include\class.cf7-mailchimp-map.php:31
actionwpcf7_after_saveadmin\include\class.cf7-mailchimp-map.php:33
actionwpcf7_admin_footeradmin\include\class.cf7-metabox.php:26
actionadmin_enqueue_scriptsadmin\include\class.cf7-metabox.php:27
actionadmin_head-toplevel_page_wpcf7admin\include\class.cf7-metabox.php:28
filterextcf7_post_metaboxadmin\include\class.cf7-range-slider.php:29
actionwpcf7_save_contact_formadmin\include\class.cf7-range-slider.php:30
filterwpcf7_contact_form_propertiesadmin\include\class.cf7-range-slider.php:31
actionwpcf7_initadmin\include\class.cf7-range-slider.php:32
actionadmin_initadmin\include\class.cf7-range-slider.php:33
filterwpcf7_validate_extcf7_range_slideradmin\include\class.cf7-range-slider.php:35
filterwpcf7_validate_extcf7_range_slider*admin\include\class.cf7-range-slider.php:36
filterwpcf7_editor_panelsadmin\include\class.cf7-redirection.php:31
actionwpcf7_after_saveadmin\include\class.cf7-redirection.php:32
actionwpcf7_form_hidden_fieldsadmin\include\class.cf7-redirection.php:33
actionwp_enqueue_scriptsadmin\include\class.cf7-signature.php:25
filterextcf7_post_metaboxadmin\include\class.cf7-signature.php:27
actionwpcf7_save_contact_formadmin\include\class.cf7-signature.php:28
actionwpcf7_initadmin\include\class.cf7-signature.php:30
actionadmin_initadmin\include\class.cf7-signature.php:31
filterwpcf7_validate_extcf7_signatureadmin\include\class.cf7-signature.php:33
filterwpcf7_validate_extcf7_signature*admin\include\class.cf7-signature.php:34
actionwpcf7_before_send_mailadmin\include\class.form-data-store.php:12
actionadmin_noticesadmin\include\class.notices.php:49
actionextcf7_admin_noticesadmin\include\class.notices.php:50
actionextcf7_admin_sidebar_noticesadmin\include\class.notices.php:51
actionadmin_footeradmin\include\class.notices.php:52
actionadmin_menuadmin\include\Recommended_Plugins.php:78
actionadmin_enqueue_scriptsadmin\include\Recommended_Plugins.php:79
actionadmin_menuadmin\settings-panel\includes\classes\Admin\Menu.php:10
actionadmin_enqueue_scriptsadmin\settings-panel\includes\classes\Admin\Menu.php:52
actionrest_api_initadmin\settings-panel\includes\classes\Api.php:17
actionadmin_enqueue_scriptsadmin\settings-panel\includes\classes\Assets.php:11
actionadmin_enqueue_scriptsadmin\settings-panel\includes\classes\Extensions_Cf7_Trial.php:70
actionadmin_initadmin\settings-panel\includes\classes\Extensions_Cf7_Trial.php:71
actionadmin_print_scriptsadmin\settings-panel\includes\classes\Extensions_Cf7_Trial.php:343
actionadmin_print_footer_scriptsadmin\settings-panel\includes\classes\Extensions_Cf7_Trial.php:344
actionadmin_noticesadmin\settings-panel\includes\classes\Extensions_Cf7_Trial.php:348
actionadmin_footeradmin\settings-panel\includes\classes\Extensions_Cf7_Trial.php:352
actionadmin_footeradmin\settings-panel\includes\classes\Extensions_Cf7_Trial.php:353
actioninitadmin\settings-panel\settings-panel.php:127
actioninitincludes\class.cf7-extensions.php:33
actionplugins_loadedincludes\class.cf7-extensions.php:34
actionin_admin_headerincludes\class.cf7-extensions.php:36
actionwp_enqueue_scriptsincludes\class.cf7-extensions.php:40
actionactivated_pluginincludes\class.cf7-extensions.php:41
actionadmin_initincludes\class.cf7-extensions.php:48
actionadmin_initincludes\class.cf7-extensions.php:49
actionadmin_noticesincludes\class.cf7-extensions.php:76
actionadmin_noticesincludes\class.cf7-extensions.php:83
actioninitincludes\class.cf7-extensions.php:130
actionwpcf7_submitincludes\class.form-data-store.php:12
actionwpcf7_before_send_mailincludes\class.mailchimp-subscribe.php:28
Maintenance & Trust

Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 25, 2026
PHP min version
Downloads171K

Community Trust

Rating98/100
Number of ratings8
Active installs6K
Alternatives

Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) Alternatives

Advanced Contact form 7 DB

Advanced Contact form 7 DB

advanced-cf7-db

B
83

Save all contact form 7 form submitted data to the database, View, Ordering, Change field labels and Import/Export data using CSV.

70K 6 CVEs
Contact Form Dashboard

Contact Form Dashboard

contact-form-dashboard

A
85

CFD stores, organizes and presents all the submissions of the Contact Form 7 in a simplest way. It supports other interesting features like - Dashboard Analytics, Bulk emails / replies handling; Search, sort and export messages.

80 No CVEs
Simple Redirection for Contact Form 7

Simple Redirection for Contact Form 7

simple-redirection-for-contact-form-7

A
85

Simple redirection addon for Contact Form 7, allows you to redirect to an existing page or a custom URL after form submission.

70 No CVEs
Contact Form 7 Database & Mobile App – CF7 DB & App

Contact Form 7 Database & Mobile App – CF7 DB & App

cf7-mobile-notification

A
85

This plugin allows you to store and receive via the App "CF7 Database & Contact Manager for Wordpress" Contact Form 7 form submissions.

30 No CVEs
Database Addon for Contact Form 7 – CFDB7

Database Addon for Contact Form 7 – CFDB7

contact-form-cfdb7

A
90

Save and manage Contact Form 7 messages. Never lose important data. It is a lightweight contact form 7 database plugin.

600K 7 CVEs
Developer Profile

Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) Developer Profile

HT Plugins

23 plugins · 64K total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
124 days
View full developer profile
Detection Fingerprints

How We Detect Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/extensions-for-cf7/admin/assets/css/admin-style.css/wp-content/plugins/extensions-for-cf7/admin/assets/js/admin.js/wp-content/plugins/extensions-for-cf7/admin/assets/js/metabox.js/wp-content/plugins/extensions-for-cf7/admin/assets/js/conditional.js/wp-content/plugins/extensions-for-cf7/admin/assets/js/redirection.js/wp-content/plugins/extensions-for-cf7/admin/assets/js/mailchimp-map.js/wp-content/plugins/extensions-for-cf7/admin/assets/js/column.js/wp-content/plugins/extensions-for-cf7/admin/assets/css/jquery-ui.css
Script Paths
admin/assets/css/admin-style.cssadmin/assets/js/admin.jsadmin/assets/js/metabox.jsadmin/assets/js/conditional.jsadmin/assets/js/redirection.jsadmin/assets/js/mailchimp-map.js+2 more
Version Parameters
extensions-for-cf7/admin/assets/css/admin-style.css?ver=extensions-for-cf7/admin/assets/js/admin.js?ver=extensions-for-cf7/admin/assets/js/metabox.js?ver=extensions-for-cf7/admin/assets/js/conditional.js?ver=extensions-for-cf7/admin/assets/js/redirection.js?ver=extensions-for-cf7/admin/assets/js/mailchimp-map.js?ver=extensions-for-cf7/admin/assets/js/column.js?ver=extensions-for-cf7/admin/assets/css/jquery-ui.css?ver=

HTML / DOM Fingerprints

CSS Classes
extcf7_pro-from-wraper
Data Attributes
data-dialog-title
JS Globals
extcf7_animation_infohtcf7ext_paramsextcf7_conditional_modeextcf7_mailchimp_map_data
FAQ

Frequently Asked Questions about Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection)