WP-Safety

Form Vibes – Database Manager for Forms Security & Risk Analysis

wordpress.org/plugins/form-vibes

Never miss a single lead! Save and manage all Contact Form 7 and Elementor form submissions easily. View, Export, Analyze and Filter submissions.

10K active installs v1.5.1 PHP 7.4+ WP 5.0+ Updated Jan 29, 2026
contact-form-7contact-form-7-dbcontact-form-dbelementor-db-managerelementor-form-db
92
A · Safe
CVEs total4
Unpatched0
Last CVEJan 5, 2026
Plugin page Download
Safety Verdict

Is Form Vibes – Database Manager for Forms Safe to Use in 2026?

Generally Safe

Score 92/100

Form Vibes – Database Manager for Forms has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Jan 5, 2026Updated 2mo ago
Risk Assessment

The "form-vibes" v1.5.2 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices in output escaping, with 100% of outputs being properly escaped, and a high percentage (84%) of SQL queries utilizing prepared statements. Furthermore, all identified AJAX entry points have been secured with authorization checks, and there are no shortcodes, cron events, or REST API routes that present an immediate attack surface without proper permission callbacks. The plugin also correctly implements nonce checks and capability checks for many of its operations.

However, several areas raise significant concerns. The presence of a dangerous `unserialize` function, even if not directly linked to a critical taint flow in the static analysis, is a known vector for remote code execution vulnerabilities if user-controlled data is involved. The taint analysis revealed two high-severity flows with unsanitized paths, indicating potential for injection-like vulnerabilities. The plugin's history of four known CVEs, including two high-severity ones for "Missing Authorization" and "SQL Injection," is particularly worrying. While there are no currently unpatched CVEs, the recurring nature of these vulnerability types suggests underlying architectural weaknesses that may not be fully addressed.

In conclusion, while "form-vibes" v1.5.2 has implemented several security best practices, the identified dangerous function, high-severity taint flows, and a history of critical vulnerability types warrant caution. The plugin's strengths lie in its output escaping and secure AJAX handling, but the potential for injection and deserialization vulnerabilities, coupled with its past vulnerability record, necessitates careful monitoring and potential mitigation efforts.

Key Concerns

  • High severity taint flows
  • Dangerous function: unserialize
  • History of High severity CVEs (2)
  • History of Medium severity CVEs (2)
  • Taint flows with unsanitized paths (3)
  • Bundled library: Guzzle
Vulnerabilities
4

Form Vibes – Database Manager for Forms Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
2 CVEs in 2024
2024
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
2
Medium
2

4 total CVEs

CVE-2025-13409medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Form Vibes – Database Manager for Forms <= 1.4.13 - Authenticated (Admin+) SQL Injection

Jan 5, 2026 Patched in 1.5 (1d)
CVE-2024-5309medium · 5.4Missing Authorization

Form Vibes – Database Manager for Forms <= 1.4.12 - Missing Authorization in Multiple Functions

Sep 4, 2024 Patched in 1.4.13 (3d)
CVE-2024-5325high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Form Vibes <= 1.4.10 - Authenticated (Subscriber+) SQL Injection via fv_export_data

Jul 11, 2024 Patched in 1.4.11 (2d)
CVE-2022-3764high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Form Vibes <= 1.4.5 - Authenticated (Admininstrator+) SQL Injection

Nov 8, 2022 Patched in 1.4.6 (441d)
Code Analysis
Analyzed Mar 16, 2026

Form Vibes – Database Manager for Forms Code Analysis

Dangerous Functions
1
Raw SQL Queries
9
47 prepared
Unescaped Output
0
45 escaped
Nonce Checks
13
Capability Checks
5
File Operations
6
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

unserialize$form_name = unserialize( $form->config );inc\integrations\caldera.php:414

Bundled Libraries

Guzzle

SQL Query Safety

84% prepared56 total queries

Output Escaping

100% escaped45 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

7 flows3 with unsanitized paths
<export> (inc\classes\export.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Form Vibes – Database Manager for Forms Attack Surface

Entry Points9
Unprotected0

AJAX Handlers 9

authwp_ajax_save_settingsinc\classes\settings.php:47
authwp_ajax_reset_settingsinc\classes\settings.php:48
authwp_ajax_save_columns_settingsinc\classes\settings.php:49
authwp_ajax_elementor_data_importinc\integrations\elementor.php:65
authwp_ajax_fv_get_analytics_datainc\modules\analytics\module.php:51
authwp_ajax_fv_event_logsinc\modules\logs\module.php:49
authwp_ajax_fv_get_submissionsinc\modules\submissions\module.php:51
authwp_ajax_fv_delete_submissionsinc\modules\submissions\module.php:52
authwp_ajax_fv_get_columnsinc\modules\submissions\module.php:53
WordPress Hooks 61
actioninitform-vibes.php:40
actionplugins_loadedform-vibes.php:44
actionadmin_enqueue_scriptsinc\bootstrap.php:96
filterscript_loader_taginc\bootstrap.php:98
actioninitinc\bootstrap.php:158
actionadmin_menuinc\bootstrap.php:164
actionadmin_menuinc\bootstrap.php:165
filterplugin_row_metainc\bootstrap.php:166
actioninitinc\bootstrap.php:167
filterformvibes/global/settingsinc\bootstrap.php:172
actionadmin_noticesinc\bootstrap.php:469
actioninitinc\classes\export.php:28
filterformvibes/global/settingsinc\classes\settings.php:45
filterformvibes/global/settingsinc\classes\settings.php:46
actioninitinc\classes\settings.php:50
filterfl_builder_register_settings_forminc\integrations\beaver-builder.php:57
actionfl_module_contact_form_before_sendinc\integrations\beaver-builder.php:59
filterfv_formsinc\integrations\beaver-builder.php:61
filterfv_formsinc\integrations\bricks.php:70
filterbricks/elements/form/controlsinc\integrations\bricks.php:73
filterbricks/form/responseinc\integrations\bricks.php:78
filterfv_formsinc\integrations\caldera.php:53
filterformvibes/formsinc\integrations\caldera.php:55
actionwpcf7_before_send_mailinc\integrations\cf7.php:68
filterfv_formsinc\integrations\cf7.php:70
filterwpcf7_mail_componentsinc\integrations\cf7.php:72
actionelementor_pro/forms/processinc\integrations\elementor.php:64
filterfv_formsinc\integrations\elementor.php:67
filterelementor_pro/forms/wp_mail_messageinc\integrations\elementor.php:68
filterfv_formsinc\integrations\everest.php:70
actioneverest_forms_processinc\integrations\everest.php:71
filterfv_formsinc\integrations\gravity-forms.php:72
actiongform_confirmationinc\integrations\gravity-forms.php:74
filterfv_formsinc\integrations\ninja.php:70
actionninja_forms_after_submissioninc\integrations\ninja.php:72
filterfv_formsinc\integrations\wp-forms.php:72
actionwpforms_process_entry_saveinc\integrations\wp-forms.php:74
filterfv_formsinc\integrations\ws-form.php:72
actionwsf_submit_post_completeinc\integrations\ws-form.php:74
actionadmin_enqueue_scriptsinc\modules\analytics\module.php:47
actionadmin_menuinc\modules\analytics\module.php:48
filterscript_loader_taginc\modules\analytics\module.php:54
actionwp_dashboard_setupinc\modules\dashboardWidgets\module.php:46
actionadmin_enqueue_scriptsinc\modules\dashboardWidgets\module.php:48
filterscript_loader_taginc\modules\dashboardWidgets\module.php:50
actionadmin_enqueue_scriptsinc\modules\logs\module.php:46
actionadmin_menuinc\modules\logs\module.php:48
filterscript_loader_taginc\modules\logs\module.php:52
filteradmin_footer_textinc\modules\notices\module.php:53
actionadmin_print_scriptsinc\modules\notices\module.php:55
actionadmin_noticesinc\modules\notices\module.php:125
actionadmin_noticesinc\modules\notices\module.php:144
actionadmin_noticesinc\modules\notices\module.php:146
actionadmin_noticesinc\modules\notices\module.php:149
actionadmin_noticesinc\modules\notices\module.php:272
actionadmin_noticesinc\modules\notices\module.php:274
actionadmin_noticesinc\modules\notices\module.php:276
actionadmin_noticesinc\modules\notices\module.php:302
actionadmin_enqueue_scriptsinc\modules\submissions\module.php:47
actionadmin_menuinc\modules\submissions\module.php:48
filterscript_loader_taginc\modules\submissions\module.php:56
Maintenance & Trust

Form Vibes – Database Manager for Forms Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 29, 2026
PHP min version7.4
Downloads379K

Community Trust

Rating98/100
Number of ratings131
Active installs10K
Alternatives

Form Vibes – Database Manager for Forms Alternatives

Advanced Contact form 7 DB

Advanced Contact form 7 DB

advanced-cf7-db

B
83

Save all contact form 7 form submitted data to the database, View, Ordering, Change field labels and Import/Export data using CSV.

70K 6 CVEs
Contact Form Dashboard

Contact Form Dashboard

contact-form-dashboard

A
85

CFD stores, organizes and presents all the submissions of the Contact Form 7 in a simplest way. It supports other interesting features like - Dashboard Analytics, Bulk emails / replies handling; Search, sort and export messages.

80 No CVEs
Contact Form 7 Database & Mobile App – CF7 DB & App

Contact Form 7 Database & Mobile App – CF7 DB & App

cf7-mobile-notification

A
85

This plugin allows you to store and receive via the App "CF7 Database & Contact Manager for Wordpress" Contact Form 7 form submissions.

30 No CVEs
Database Addon for Contact Form 7 – CFDB7

Database Addon for Contact Form 7 – CFDB7

contact-form-cfdb7

A
90

Save and manage Contact Form 7 messages. Never lose important data. It is a lightweight contact form 7 database plugin.

600K 7 CVEs
Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection)

Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection)

extensions-for-cf7

A
91

Easily save contact form data, apply conditional logic in the fields and redirect to any page after contact form submission.

6K 5 CVEs
Developer Profile

Form Vibes – Database Manager for Forms Developer Profile

WPVibes

10 plugins · 201K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
157 days
View full developer profile
Detection Fingerprints

How We Detect Form Vibes – Database Manager for Forms

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/form-vibes/assets/css/fv-admin.css/wp-content/plugins/form-vibes/assets/css/fv-common.css/wp-content/plugins/form-vibes/assets/js/fv-admin.js/wp-content/plugins/form-vibes/assets/js/fv-common.js
Script Paths
/wp-content/plugins/form-vibes/assets/js/fv-admin.js/wp-content/plugins/form-vibes/assets/js/fv-common.js
Version Parameters
form-vibes/assets/css/fv-admin.css?ver=form-vibes/assets/css/fv-common.css?ver=form-vibes/assets/js/fv-admin.js?ver=form-vibes/assets/js/fv-common.js?ver=

HTML / DOM Fingerprints

CSS Classes
fv-admin-wrapperfv-admin-contentfv-leads-tablefv-settings-wrap
HTML Comments
Form Vibes Admin Wrapper StartForm Vibes Admin Content StartForm Vibes Admin Content EndForm Vibes Admin Wrapper End
Data Attributes
data-fv-form-iddata-fv-field-name
JS Globals
fv_admin_paramsfv_common_paramsFormVibes
REST Endpoints
/wp-json/formvibes/v1/leads/wp-json/formvibes/v1/settings
FAQ

Frequently Asked Questions about Form Vibes – Database Manager for Forms