WP-Safety

Filled In Security & Risk Analysis

wordpress.org/plugins/filled-in

Generic form processor allowing forms to be painlessly processed and aggregated, with numerous options to validate data and perform custom commands

20 active installs v1.9.6 PHP + WP 2.7+ Updated Nov 26, 2025
contactformvalidate
99
A · Safe
CVEs total1
Unpatched0
Last CVEFeb 11, 2025
Plugin page Download
Safety Verdict

Is Filled In Safe to Use in 2026?

Generally Safe

Score 99/100

Filled In has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Feb 11, 2025Updated 5mo ago
Risk Assessment

The plugin "filled-in" v1.9.6 exhibits a mixed security posture. On the positive side, it demonstrates a strong adherence to output escaping best practices with 99% of outputs properly escaped and a good number of nonce and capability checks. The absence of external HTTP requests and bundled libraries further mitigates certain risk vectors. However, significant concerns arise from the static analysis. The presence of 45 dangerous functions, including 'assert' and 'unserialize', signals potential for serious vulnerabilities if not handled with extreme care. Furthermore, the taint analysis reveals 8 flows with unsanitized paths, two of which are critical and two are high severity, indicating a clear risk of data injection or manipulation. While there are no currently unpatched CVEs, the historical medium severity CSRF vulnerability, though past, suggests a potential weakness in handling user-initiated actions securely. The plugin's strengths lie in its output sanitization and authentication checks, but the identified dangerous functions and tainted flows represent critical areas requiring immediate attention and remediation.

Key Concerns

  • Critical severity taint flows found
  • High severity taint flows found
  • High number of dangerous functions present
  • Significant percentage of SQL queries not using prepared statements
  • Flows with unsanitized paths
  • Presence of unserialize function
  • Presence of assert function
  • Past medium severity vulnerability (CSRF)
Vulnerabilities
1 published

Filled In Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-22628medium · 6.1Cross-Site Request Forgery (CSRF)

Filled In <= 1.9.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Feb 11, 2025 Patched in 1.9.3 (70d)
Version History

Filled In Release Timeline

v1.8.231 CVE
CVE-2025-22628
v1.8.151 CVE
CVE-2025-22628
v1.7.71 CVE
CVE-2025-22628
v1.7.61 CVE
CVE-2025-22628
v1.7.51 CVE
CVE-2025-22628
Code Analysis
Analyzed Mar 16, 2026

Filled In Code Analysis

Dangerous Functions
45
Raw SQL Queries
59
56 prepared
Unescaped Output
10
843 escaped
Nonce Checks
18
Capability Checks
40
File Operations
10
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

assertassert (is_a ($form, 'FI_Form'));controller\front.php:352
assertassert (is_string ($text));controller\front.php:353
assertassert (is_a ($source, 'FI_Data'));extensions\post\email-wp.php:130
assertassert (is_a ($source, 'FI_Data'));extensions\post\email-wp.php:187
assertassert (is_a ($source, 'FI_Data'));extensions\post\email-wp.php:215
assertassert (is_a ($source, 'FI_Data'));extensions\post\email.php:154
assertassert (is_a ($source, 'FI_Data'));extensions\post\email.php:189
assertassert (is_a ($source, 'FI_Data'));extensions\post\email.php:221
assertassert (is_a ($source, 'FI_Data'));extensions\result\display_message.php:74
assertassert (is_array ($config));models\data\source_cookies.php:9
unserialize$this->data = unserialize ($data->cookie);models\data\source_cookies.php:20
assertassert (is_string ($text));models\data\source_cookies.php:33
assertassert (is_bool ($encode));models\data\source_cookies.php:34
unserialize$this->data = unserialize ($data->upload);models\data\source_files.php:35
assertassert (is_string ($text));models\data\source_files.php:91
assertassert (is_a ($errors, 'FI_Errors'));models\data\source_files.php:92
unserialize$this->data = @unserialize ($data->data);models\data\source_post.php:42
assertassert (is_string ($text));models\data\source_post.php:118
assertassert (is_bool ($encode));models\data\source_post.php:119
assertassert ('intval ($formid) > 0');models\data.php:61
assertassert (is_a ($errors, 'FI_Errors'));models\data.php:126
assertassert (is_a ($pager, 'FI_Pager'));models\data.php:135
assertassert (is_a ($pager, 'FI_Pager'));models\data.php:169
assertassert ('strlen ($template) > 0');models\email_attachment.php:9
unserialize$this->message = unserialize ($this->message);models\errors.php:19
assertassert ('intval ($form_id) > 0');models\errors.php:45
assertassert ('intval ($data_id) > 0');models\errors.php:46
assertassert (is_array ($extensions));models\errors.php:88
assertassert (is_a ($config, 'FI_Data_POST'));models\extensions\filter.php:25
assertassert (is_a ($data, 'FI_Data'));models\extensions\filter.php:31
assertassert (is_array ($values));models\extensions.php:24
unserialize$this->config = unserialize ($this->config);models\extensions.php:30
assertassert ('intval ($formid) > 0');models\extensions.php:35
assertassert ('intval ($id) > 0');models\extensions.php:58
assertassert (is_a ($config, 'FI_Data_POST'));models\extensions.php:75
assertassert ('intval ($formid) > 0');models\extensions.php:99
assertassert (is_string ($type));models\extensions.php:100
assertassert (is_array ($order));models\extensions.php:162
assertassert (is_string ($dest));models\file_upload.php:48
unserialize$this->options = unserialize ($this->options);models\form.php:27
assertassert (is_a ($pager, 'FI_Pager'));models\form.php:34
assertassert (is_string ($newname));models\form.php:126
assertassert (is_string ($quick));models\form.php:127
assertassert (is_array ($matches));models\form_replacer.php:93
assertassert (is_array ($matches));models\form_replacer.php:118

SQL Query Safety

49% prepared115 total queries

Output Escaping

99% escaped853 total outputs
Data Flows · Security
8 unsanitized

Data Flow Analysis

18 flows8 with unsanitized paths
edit_report (controller\admin.php:336)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Filled In Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 26
actionactivate_filled-in/filled_in.phpcontroller\admin.php:19
filteradmin_menucontroller\admin.php:23
actionwp_print_scriptscontroller\admin.php:24
actionadmin_headcontroller\admin.php:25
actionadmin_print_stylescontroller\admin.php:26
actionadmin_footercontroller\admin.php:27
filtercontextual_helpcontroller\admin.php:28
actionadmin_initcontroller\admin.php:33
filteraudit_collectcontroller\admin.php:38
actionfilled_in_cron_delete_failed_sumbmitions_eventcontroller\cron.php:24
actionwp_loadedcontroller\front.php:26
actiontemplate_redirectcontroller\front.php:28
actiontemplate_redirectcontroller\front.php:32
filterthe_contentcontroller\front.php:33
filterthe_excerptcontroller\front.php:34
filterwidget_textcontroller\front.php:35
filterthe_filled_in_formcontroller\front.php:36
filterthe_contentcontroller\front.php:37
filterthe_excerptcontroller\front.php:38
filterspu/popup/contentcontroller\front.php:40
actionwp_headcontroller\front.php:95
actioninitplugin.php:140
actionadmin_menuplugin.php:144
actionadmin_menuplugin.php:147
actionadmin_menuplugin.php:150
actiondbx_post_advancedplugin.php:232

Scheduled Events 1

filled_in_cron_delete_failed_sumbmitions_event
Maintenance & Trust

Filled In Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedNov 26, 2025
PHP min version
Downloads15K

Community Trust

Rating66/100
Number of ratings3
Active installs20
Alternatives

Filled In Alternatives

Contact Form 7 – Blacklist Unwanted Email

Contact Form 7 – Blacklist Unwanted Email

block-email-cf7

A
85

This is a free add-on plugin for contact form 7, which validates the email field and restrict unwanted email submission as well as allowed only busine &hellip;

400 No CVEs
Integrate Contact Form 7 with TheChecker.co

Integrate Contact Form 7 with TheChecker.co

integrate-cf7-thecheckerco

A
85

TheChecker.co integration for Contact Form 7

0 No CVEs
Contact Form 7

Contact Form 7

contact-form-7

A
92

Just another contact form plugin. Simple but flexible.

10.0M 8 CVEs
Akismet Anti-spam: Spam Protection

Akismet Anti-spam: Spam Protection

akismet

A
99

The best anti-spam protection to block spam comments and spam in a contact form. The most trusted antispam solution for WordPress and WooCommerce.

6.0M 2 CVEs
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

A
88

The best WordPress contact form plugin. Drag & Drop form builder to create beautiful contact forms, payment forms, & other custom forms.

6.0M 16 CVEs
Developer Profile

Filled In Developer Profile

FolioVision

19 plugins · 48K total installs

74
trust score
Avg Security Score
93/100
Avg Patch Time
1098 days
View full developer profile
Detection Fingerprints

How We Detect Filled In

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/filled-in/controller/admin.css/wp-content/plugins/filled-in/controller/admin.js
Script Paths
/wp-content/plugins/filled-in/controller/admin.js
Version Parameters
filled-in/controller/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
filled-in-form
Data Attributes
data-filled-in-id
JS Globals
filled_in
REST Endpoints
/wp-json/filled-in/v1/forms
Shortcode Output
<form class="filled-in-form" id="fi-form-<input type="hidden" name="fi_nonce" value="<input type="hidden" name="fi_id" value="
FAQ

Frequently Asked Questions about Filled In