WP-Safety

FEP Contact Form Security & Risk Analysis

wordpress.org/plugins/fep-contact-form

FEP Contact Form is a secure contact form to your WordPress site.This can be used with Front End PM or without.

10 active installs v3.2 PHP + WP 2.8+ Updated Apr 23, 2015
contact-formemailmailsecure-contact-formsimple-contact-form
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is FEP Contact Form Safe to Use in 2026?

Generally Safe

Score 85/100

FEP Contact Form has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 10yr ago
Risk Assessment

The fep-contact-form plugin version 3.2 shows a generally good security posture, with strong adherence to modern WordPress security practices. The absence of known CVEs and a focus on prepared statements for SQL queries are positive indicators. However, the static analysis reveals potential areas of concern that warrant attention. A significant percentage of output escaping is not properly handled, which could lead to Cross-Site Scripting (XSS) vulnerabilities if user-supplied data is displayed without proper sanitization. Furthermore, the taint analysis indicates four high-severity flows with unsanitized paths, suggesting that data entering the plugin might not be sufficiently validated before being used in potentially sensitive operations. While the attack surface appears well-protected with no direct unprotected entry points, the presence of unsanitized data flows is a critical risk that needs to be addressed. The lack of historical vulnerabilities is a strength, but it doesn't negate the immediate risks identified in the current analysis.

Key Concerns

  • High severity unsanitized taint flows
  • Low percentage of properly escaped output
Vulnerabilities
None known

FEP Contact Form Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

FEP Contact Form Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
62 prepared
Unescaped Output
39
45 escaped
Nonce Checks
1
Capability Checks
22
File Operations
3
External Requests
0
Bundled Libraries
0

SQL Query Safety

95% prepared65 total queries

Output Escaping

54% escaped84 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

17 flows4 with unsanitized paths
department_settings_action (admin\fepcf-admin-class.php:97)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

FEP Contact Form Attack Surface

Entry Points2
Unprotected0

Shortcodes 2

[fep-contact-form-admin] fepcf-display-class.php:22
[fep-contact-form] fepcf-main-class.php:20
WordPress Hooks 44
actionadmin_menuadmin\fepcf-admin-class.php:19
filterplugin_action_linksadmin\fepcf-admin-class.php:20
actionwp_loadedadmin\fepcf-admin-class.php:282
actionafter_setup_themefep-contact-form.php:37
actionplugins_loadedfep-contact-form.php:38
actionwp_enqueue_scriptsfep-contact-form.php:39
actionadmin_enqueue_scriptsfep-contact-form.php:40
actionfepcf_admin_setting_formfepcf-attachment-class.php:19
actionfepcf_action_admin_setting_before_savefepcf-attachment-class.php:20
actionfepcf_display_after_contentfepcf-attachment-class.php:21
actionfepcf_switch_downloadfepcf-attachment-class.php:22
actionfepcf_message_before_deletefepcf-attachment-class.php:23
actionfepcf_message_form_after_contentfepcf-attachment-class.php:26
actionfepcf_action_message_before_sendfepcf-attachment-class.php:27
actionfepcf_action_message_after_sendfepcf-attachment-class.php:28
filterupload_dirfepcf-attachment-class.php:107
actionwp_loadedfepcf-attachment-class.php:231
actionwp_loadedfepcf-display-class.php:467
actionwp_loadedfepcf-main-class.php:436
actionfepcf_menu_buttonfepcf-menu-class.php:19
actionfepcf_menu_buttonfepcf-menu-class.php:21
actionfepcf_menu_buttonfepcf-menu-class.php:22
actionwp_loadedfepcf-menu-class.php:55
actionfepcf_menu_buttonfepcf-send-email-class.php:19
actionfepcf_switch_newemailfepcf-send-email-class.php:20
actionfepcf_action_message_after_sendfepcf-send-email-class.php:21
actionwp_loadedfepcf-send-email-class.php:191
actionfep_menu_buttonfront-end-pm\fepcf-if-fep.php:20
actionfep_switch_mycontactmgsfront-end-pm\fepcf-if-fep.php:21
actionfep_menu_buttonfront-end-pm\fepcf-if-fep.php:22
actionfep_switch_newemailfront-end-pm\fepcf-if-fep.php:23
actionfep_menu_buttonfront-end-pm\fepcf-if-fep.php:25
actionfep_menu_buttonfront-end-pm\fepcf-if-fep.php:26
actionfep_switch_contactmgsfront-end-pm\fepcf-if-fep.php:27
actionfep_switch_spamfront-end-pm\fepcf-if-fep.php:28
actionfep_switch_emptyspamfront-end-pm\fepcf-if-fep.php:29
actionfep_switch_notspamfront-end-pm\fepcf-if-fep.php:30
actionfep_switch_deletefront-end-pm\fepcf-if-fep.php:31
actionfep_switch_viewcontactfront-end-pm\fepcf-if-fep.php:32
actionwp_loadedfront-end-pm\fepcf-if-fep.php:258
filterfepcf_filter_display_messagefunctions.php:353
filterfepcf_filter_display_messagefunctions.php:359
filterfepcf_filter_display_titlefunctions.php:365
actiontemplate_redirectfunctions.php:367
Maintenance & Trust

FEP Contact Form Maintenance & Trust

Maintenance Signals

WordPress version tested4.2.39
Last updatedApr 23, 2015
PHP min version
Downloads4K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

FEP Contact Form Alternatives

ALIDANI Contact forms

ALIDANI Contact forms

alidani-contact-form

A
85

Contact form with visual form builder. Contact form that sends the data to email, to a database list and easy to update the content.

10 No CVEs
OweBest Contact Form

OweBest Contact Form

ob-contact-form

A
100

OweBest Contact form is a simple contact form which works out of the box. Use shortcode on posts or pages to generate OweBest Contact Form.

10 No CVEs
OB Contact Form to DB

OB Contact Form to DB

ob-contact-form-to-db

A
85

OB Contact form to DB is an addon to OB Contact Form plugin, to stor all submitted entries into database and show them in back-end.

10 No CVEs
Creative Mail – Easier WordPress & WooCommerce Email Marketing

Creative Mail – Easier WordPress & WooCommerce Email Marketing

creative-mail-by-constant-contact

A
90

Creative Mail was designed specifically for WordPress and WooCommerce. Our intelligent (and super fun) email editor simplifies email marketing campaig …

300K 3 CVEs
Gravity PDF

Gravity PDF

gravity-forms-pdf-extended

A
100

Automatically generate, email and download PDF documents from Gravity Forms entries

20K 1 CVE
Developer Profile

FEP Contact Form Developer Profile

Shamim Hasan

6 plugins · 5K total installs

78
trust score
Avg Security Score
86/100
Avg Patch Time
77 days
View full developer profile
Detection Fingerprints

How We Detect FEP Contact Form

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/fep-contact-form/fepcf-script.js/wp-content/plugins/fep-contact-form/fepcf-admin-script.js
Script Paths
/wp-content/plugins/fep-contact-form/fepcf-script.js/wp-content/plugins/fep-contact-form/fepcf-admin-script.js
Version Parameters
fep-contact-form/fepcf-script.js?ver=fep-contact-form/fepcf-admin-script.js?ver=

HTML / DOM Fingerprints

CSS Classes
fepcf-options-table
Data Attributes
data-fepcf-nonce
JS Globals
fepcf_create_nonce
FAQ

Frequently Asked Questions about FEP Contact Form