Does Flamingo have any unpatched vulnerabilities?

No. All known vulnerabilities in Flamingo have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Flamingo compatible with WordPress 6.9.4?

According to WordPress.org data, Flamingo 2.6.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Flamingo compatible with PHP 7.4+?

Flamingo requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Flamingo updated?

Flamingo was last updated on Dec 1, 2025. Frequent updates are generally a positive security signal.

What is Flamingo's security score?

Flamingo has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Flamingo Security & Risk Analysis

wordpress.org/plugins/flamingo

A trustworthy message storage plugin for Contact Form 7.

800K active installs v2.6.1 PHP 7.4+ WP 6.7+ Updated Dec 1, 2025

birdcontactcrmmail

A · Safe

CVEs total1

Unpatched0

Last CVEJan 15, 2020

Plugin page Download

Safety Verdict

Is Flamingo Safe to Use in 2026?

Generally Safe

Score 100/100

Flamingo has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Jan 15, 2020Updated 4mo ago

Risk Assessment

Flamingo v2.6.1 demonstrates a generally good security posture, with strong adherence to best practices such as prepared statements for all SQL queries and robust output escaping (94%). The plugin also implements a healthy number of nonce and capability checks, indicating an awareness of common WordPress security vulnerabilities. The static analysis shows no immediate critical risks related to dangerous functions, file operations, or external HTTP requests. The total attack surface is also minimal, with no exposed AJAX handlers, REST API routes, or shortcodes that are unprotected.

However, there are a couple of areas that warrant attention. The taint analysis revealed two flows with unsanitized paths, which, while not classified as critical or high severity in this analysis, could potentially be exploited under certain conditions if user input is involved. Furthermore, the plugin has a history of a medium severity vulnerability related to Command Injection, even though it is currently patched. This historical pattern suggests that developers should remain vigilant about input sanitization, particularly for any functionality that might interact with system commands or sensitive paths.

In conclusion, Flamingo v2.6.1 is a relatively secure plugin, backed by good coding practices. The primary concerns stem from the presence of unsanitized paths in the taint analysis and the historical vulnerability type. While no current critical vulnerabilities are evident, proactive monitoring and potentially further code review around the identified taint flows would be beneficial for maintaining a robust security profile.

Key Concerns

Flows with unsanitized paths identified
Historical Command Injection vulnerability

Vulnerabilities

Flamingo Security Vulnerabilities

CVEs by Year

1 CVE in 2020

2020

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

WF-78760d4d-04fc-4a6c-8c0d-6bf897335651-flamingomedium · 6.4Improper Neutralization of Special Elements used in a Command ('Command Injection')

Flamingo <= 2.1 - CSV Injection

Jan 15, 2020 Patched in 2.1.1 (1469d)

Code Analysis

Analyzed Mar 16, 2026

Flamingo Code Analysis

Dangerous Functions

Raw SQL Queries

4 prepared

Unescaped Output

161 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared4 total queries

Output Escaping

94% escaped171 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths

flamingo_contact_admin_page (admin\admin.php:309)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Flamingo Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 17

actionadmin_menuadmin\admin.php:6

filterset_screen_option_flamingo_contacts_per_pageadmin\admin.php:50

filterset_screen_option_flamingo_inbound_messages_per_pageadmin\admin.php:54

actionadmin_enqueue_scriptsadmin\admin.php:71

actionflamingo_admin_updated_messageadmin\admin.php:121

filterwp_privacy_personal_data_erasersadmin\includes\privacy.php:9

actioninitflamingo.php:57

filterwp_untrash_post_statusflamingo.php:62

filtermap_meta_capincludes\capabilities.php:3

actionwp_insert_commentincludes\comment.php:6

actiontransition_comment_statusincludes\comment.php:26

actionadmin_initincludes\cron.php:9

actionflamingo_hourly_cron_jobincludes\cron.php:23

filterflamingo_csv_quotationincludes\csv.php:202

filterflamingo_csv_field_prefixincludes\csv.php:215

actionprofile_updateincludes\user.php:7

actionuser_registerincludes\user.php:8

Scheduled Events 1

flamingo_hourly_cron_job

Maintenance & Trust

Flamingo Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 1, 2025

PHP min version7.4

Downloads8.1M

Community Trust

Rating84/100

Number of ratings118

Active installs800K

Alternatives

Flamingo Alternatives

Contact Form 7 Responses

cf7-responses

Store Contact Form 7 responses into your WordPress.

40 No CVEs

CF7 Inbound Organizer

cf7-inbound-organizer

Inbound messages from Contact Form 7 are organized on a board with 2 to 5 columns to track message processing. Depends on CF7 and Flamingo.

50 No CVEs

Earnware Connect

earnware-connect

A plugin to connect any wordpress site to the Earnware Dashboard.

10 1 CVE

WolfCRM Forms Integration

nds-wolfcrm-forms-integration

Plugin que permite enviar a WolfCRM los datos obtenidos a través de formularios de Ninja Forms de forma automática. https://www.wolfcrm.es/

10 No CVEs

RainmakerMoxie

rainmakermoxie

RainmakerMoxie (BETA-limited support) is an interactive sidebar widget. Enter an email address and it displays a photo, name, social links and more.

10 No CVEs

Developer Profile

Flamingo Developer Profile

Rock Lobster Inc.

6 plugins · 11.1M total installs

trust score

Avg Security Score

94/100

Avg Patch Time

1303 days

View full developer profile

Detection Fingerprints

How We Detect Flamingo

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/flamingo/admin/includes/css/style.css/wp-content/plugins/flamingo/admin/includes/css/style-rtl.css/wp-content/plugins/flamingo/admin/includes/js/index.js

Script Paths

/wp-content/plugins/flamingo/admin/includes/js/index.js

Version Parameters

flamingo/admin/includes/css/style.css?ver=flamingo/admin/includes/css/style-rtl.css?ver=flamingo/admin/includes/js/index.js?ver=

HTML / DOM Fingerprints

Data Attributes

data-iddata-group

JS Globals

flamingo

REST Endpoints

/wp-json/flamingo/v1/contacts/wp-json/flamingo/v1/inbound-messages

FAQ