WP-Safety

Form Generator for WordPress Security & Risk Analysis

wordpress.org/plugins/form-generator-powered-by-jotform

Form Generator seamlessly delivers JotForm to your WordPress website.

200 active installs v1.52 PHP + WP 3.0+ Updated Feb 27, 2014
form-builderform-makerforms-generatorjotformjotform-wordpress-plugin
63
C · Use Caution
CVEs total1
Unpatched1
Last CVESep 22, 2025
Plugin page Download
Safety Verdict

Is Form Generator for WordPress Safe to Use in 2026?

Use With Caution

Score 63/100

Form Generator for WordPress has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Sep 22, 2025Updated 12yr ago
Risk Assessment

The "form-generator-powered-by-jotform" plugin v1.52 presents a mixed security posture. While it demonstrates good practices by securing all identified entry points (AJAX handlers, REST API routes, shortcodes) with authentication or permission checks, and includes a reasonable percentage of prepared SQL statements, there are significant areas of concern. The presence of 11 dangerous function calls, particularly 'unserialize', is a red flag, as unserialization vulnerabilities can lead to remote code execution if not handled with extreme care. Furthermore, the taint analysis revealing 5 flows with unsanitized paths, although not classified as critical or high severity in this analysis, indicates potential weaknesses in input validation that could be exploited. The plugin's vulnerability history, featuring one medium severity Cross-Site Scripting (XSS) CVE with a recent disclosure date and still unpatched, further exacerbates these concerns, suggesting a pattern of input sanitization issues. While the plugin's robust authentication for its entry points is a strength, the identified code signals and taint flow issues, coupled with the unpatched XSS vulnerability, necessitate careful consideration.

Key Concerns

  • Unpatched CVEs
  • Flows with unsanitized paths
  • Dangerous functions (unserialize)
  • Output escaping below 100%
  • SQL queries not fully prepared
  • Bundled libraries (potential risks)
Vulnerabilities
1 published

Form Generator for WordPress Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-58665medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Form Generator for WordPress <= 1.52 - Authenticated (Administrator+) Stored Cross-Site Scripting

Sep 22, 2025Unpatched
Version History

Form Generator for WordPress Release Timeline

v1.52Current1 CVE
CVE-2025-58665
v1.511 CVE
CVE-2025-58665
v1.51 CVE
CVE-2025-58665
v1.41 CVE
CVE-2025-58665
v1.3.31 CVE
CVE-2025-58665
v1.3.21 CVE
CVE-2025-58665
v1.3.11 CVE
CVE-2025-58665
v1.31 CVE
CVE-2025-58665
Code Analysis
Analyzed Mar 16, 2026

Form Generator for WordPress Code Analysis

Dangerous Functions
11
Raw SQL Queries
6
7 prepared
Unescaped Output
57
104 escaped
Nonce Checks
4
Capability Checks
7
File Operations
180
External Requests
2
Bundled Libraries
2

Dangerous Functions Found

unserialize$this->_currentObject = unserialize($obj);inc\PHPExcel\CachedObjectStorage\APC.php:156
unserialize$this->_currentObject = unserialize(fread($this->_fileHandle,$this->_cellCache[$pCoord]['sz']));inc\PHPExcel\CachedObjectStorage\DiscISAM.php:126
unserialize$this->_currentObject = unserialize($obj);inc\PHPExcel\CachedObjectStorage\Memcache.php:160
unserialize$this->_currentObject = unserialize(gzinflate($this->_cellCache[$pCoord]));inc\PHPExcel\CachedObjectStorage\MemoryGZip.php:98
unserialize$this->_currentObject = unserialize($this->_cellCache[$pCoord]);inc\PHPExcel\CachedObjectStorage\MemorySerialized.php:98
unserialize$this->_currentObject = unserialize(fread($this->_fileHandle,$this->_cellCache[$pCoord]['sz']));inc\PHPExcel\CachedObjectStorage\PHPTemp.php:118
unserialize$this->_currentObject = unserialize($cellResult);inc\PHPExcel\CachedObjectStorage\SQLite.php:118
unserialize$this->_currentObject = unserialize($cellData['value']);inc\PHPExcel\CachedObjectStorage\SQLite3.php:150
unserialize$this->_currentObject = unserialize($obj);inc\PHPExcel\CachedObjectStorage\Wincache.php:160
unserialize$this->{$key} = unserialize(serialize($val));inc\PHPExcel\Worksheet.php:2813
unserialize$this->{$key} = unserialize(serialize($val));inc\PHPExcel.php:622

Bundled Libraries

dompdfTCPDF

SQL Query Safety

54% prepared13 total queries

Output Escaping

65% escaped161 total outputs
Data Flows · Security
5 unsanitized

Data Flow Analysis

9 flows5 with unsanitized paths
fetch_ajax_url_http (inc\jc-base.class.php:377)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Form Generator for WordPress Attack Surface

Entry Points4
Unprotected0

AJAX Handlers 2

authwp_ajax_comment_author_deurlinc\admin.php:839
authwp_ajax_comment_author_reurlinc\admin.php:854

Shortcodes 2

[jotform] inc\jc-base.class.php:68
[dxsampcode] inc\jc-base.class.php:335
WordPress Hooks 33
actionadmin_menuinc\admin.php:2
actionadmin_noticesinc\admin.php:17
actionadmin_initinc\admin.php:28
actionadmin_enqueue_scriptsinc\admin.php:30
filterplugin_action_linksinc\admin.php:65
actionactivity_box_endinc\admin.php:344
actionadmin_noticesinc\admin.php:371
actionadmin_noticesinc\admin.php:404
actionadmin_noticesinc\admin.php:417
filtercomment_row_actionsinc\admin.php:479
filtercomment_textinc\admin.php:541
actionrightnow_endinc\admin.php:580
actionmanage_comments_navinc\admin.php:593
actiontransition_comment_statusinc\admin.php:738
actionadmin_action_akismet_recheck_queueinc\admin.php:823
actionjetpack_admin_menuinc\admin.php:911
actionwp_enqueue_scriptsinc\jc-base.class.php:21
actionwp_enqueue_scriptsinc\jc-base.class.php:22
actionadmin_enqueue_scriptsinc\jc-base.class.php:25
actionadmin_enqueue_scriptsinc\jc-base.class.php:26
actionadmin_menuinc\jc-base.class.php:29
actionplugins_loadedinc\jc-base.class.php:43
actionadmin_initinc\jc-base.class.php:46
actioninitinc\jc-base.class.php:49
actionadmin_initinc\jc-plugin-settings.class.php:11
actioninitinc\jotForm-embed.php:6
filterthe_contentinc\jotForm-embed.php:9
filtermce_external_pluginsinc\jotForm-embed.php:14
filtermce_buttonsinc\jotForm-embed.php:15
filtersanitize_titleinc\submissions-template.php:639
filterwidget_textjotform-connect.php:46
filterthe_excerptjotform-connect.php:47
filterget_the_excerptjotform-connect.php:48
Maintenance & Trust

Form Generator for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested3.7.41
Last updatedFeb 27, 2014
PHP min version
Downloads19K

Community Trust

Rating86/100
Number of ratings4
Active installs200
Alternatives

Form Generator for WordPress Alternatives

Contact Form Monster

Contact Form Monster

contact-form-monster

A
85

Contact form plugin is a simple contact form builder tool, which allows the user to create and edit different contact forms.

200 No CVEs
Skyflow Forms – Contact Form Builder, Easy, Modern, and Responsive Form Builder

Skyflow Forms – Contact Form Builder, Easy, Modern, and Responsive Form Builder

skyflow-forms

A
100

Lightweight drag-and-drop form builder for WordPress. Create contact forms, multi-column layouts, and manage submissions.

0 No CVEs
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

A
88

The best WordPress contact form plugin. Drag & Drop form builder to create beautiful contact forms, payment forms, & other custom forms.

6.0M 16 CVEs
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

fluentform

B
82

Get a fast contact form plugin. Create advanced forms using drag and drop form builder with all smart features.

700K 33 CVEs
MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

metform

A
87

The most popular Elementor forms builder to create WordPress forms like contact forms, booking forms, feedback form, survey forms, application forms a &hellip;

600K 26 CVEs
Developer Profile

Form Generator for WordPress Developer Profile

tmontg1

1 plugin · 200 total installs

68
trust score
Avg Security Score
63/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Form Generator for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/form-generator-powered-by-jotform/assets/css/bootstrap-responsive.min.css/wp-content/plugins/form-generator-powered-by-jotform/assets/css/bootstrap.min.css/wp-content/plugins/form-generator-powered-by-jotform/assets/css/jquery.datetimepicker.css/wp-content/plugins/form-generator-powered-by-jotform/assets/css/style.css/wp-content/plugins/form-generator-powered-by-jotform/assets/js/bootstrap-datepicker.js/wp-content/plugins/form-generator-powered-by-jotform/assets/js/bootstrap.min.js/wp-content/plugins/form-generator-powered-by-jotform/assets/js/jquery.datetimepicker.full.min.js/wp-content/plugins/form-generator-powered-by-jotform/assets/js/jquery.min.js+5 more
Script Paths
/wp-content/plugins/form-generator-powered-by-jotform/assets/js/jquery.min.js/wp-content/plugins/form-generator-powered-by-jotform/assets/js/bootstrap.min.js/wp-content/plugins/form-generator-powered-by-jotform/assets/js/parsley.min.js/wp-content/plugins/form-generator-powered-by-jotform/assets/js/select2.min.js/wp-content/plugins/form-generator-powered-by-jotform/assets/js/jquery.datetimepicker.full.min.js/wp-content/plugins/form-generator-powered-by-jotform/assets/js/bootstrap-datepicker.js+3 more
Version Parameters
form-generator-powered-by-jotform/assets/css/bootstrap-responsive.min.css?ver=form-generator-powered-by-jotform/assets/css/bootstrap.min.css?ver=form-generator-powered-by-jotform/assets/css/jquery.datetimepicker.css?ver=form-generator-powered-by-jotform/assets/css/style.css?ver=form-generator-powered-by-jotform/assets/js/bootstrap-datepicker.js?ver=form-generator-powered-by-jotform/assets/js/bootstrap.min.js?ver=form-generator-powered-by-jotform/assets/js/jquery.datetimepicker.full.min.js?ver=form-generator-powered-by-jotform/assets/js/jquery.min.js?ver=form-generator-powered-by-jotform/assets/js/main.js?ver=form-generator-powered-by-jotform/assets/js/numeral.min.js?ver=form-generator-powered-by-jotform/assets/js/parsley.min.js?ver=form-generator-powered-by-jotform/assets/js/select2.min.js?ver=form-generator-powered-by-jotform/inc/js/admin-script.js?ver=

HTML / DOM Fingerprints

CSS Classes
jotform-form-containerjotform-form-wrapper
HTML Comments
<!-- Powered by JotForm --><!-- Start JotForm embed code --><!-- End JotForm embed code -->
Data Attributes
data-form-iddata-form-token
JS Globals
JotformEmbed JotformAPI
Shortcode Output
[jotform-form-container][jotform-form-wrapper]
FAQ

Frequently Asked Questions about Form Generator for WordPress