WP-Safety

Contact form builder for Gutenberg – Formello Security & Risk Analysis

wordpress.org/plugins/formello

Light-weight and easy plugin create forms inside the block editor.

60 active installs v2.7.1 PHP 7.0+ WP 6.6+ Updated May 29, 2025
blockcontact-formformform-blockgutenberg-form
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Contact form builder for Gutenberg – Formello Safe to Use in 2026?

Generally Safe

Score 100/100

Contact form builder for Gutenberg – Formello has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 10mo ago
Risk Assessment

The Formello v2.7.1 plugin exhibits a generally strong security posture, adhering to several best practices such as 100% output escaping and a high percentage of prepared SQL statements. The absence of known CVEs and a clean vulnerability history are positive indicators of the developer's commitment to security. However, the plugin does present some concerning security weaknesses that warrant attention. Specifically, the presence of two AJAX handlers without authentication checks creates a direct attack vector for unauthorized actions. Additionally, the taint analysis revealed two flows with unsanitized paths, which, while not flagged as critical or high severity in this analysis, represent a potential risk if these paths are reachable by unauthenticated users or if the data involved is sensitive. The limited file operations and external HTTP requests are also good points, but the two unprotected entry points and the potential for unsanitized path traversals are the primary areas of concern.

Key Concerns

  • AJAX handlers without authentication checks
  • Flows with unsanitized paths
Vulnerabilities
None known

Contact form builder for Gutenberg – Formello Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Contact form builder for Gutenberg – Formello Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
18 prepared
Unescaped Output
0
36 escaped
Nonce Checks
2
Capability Checks
6
File Operations
1
External Requests
5
Bundled Libraries
0

SQL Query Safety

86% prepared21 total queries

Output Escaping

100% escaped36 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths
validate_recaptcha (includes\Processor\Validator.php:307)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Contact form builder for Gutenberg – Formello Attack Surface

Entry Points3
Unprotected2

AJAX Handlers 2

authwp_ajax_formelloincludes\Plugin.php:170
noprivwp_ajax_formelloincludes\Plugin.php:171

Shortcodes 1

[formello] includes\Plugin.php:166
WordPress Hooks 31
filterformello_available_form_actionsincludes\Actions\Action.php:62
actionwp_mail_failedincludes\Actions\Email.php:30
actionplugins_loadedincludes\Plugin.php:131
actionadmin_menuincludes\Plugin.php:145
actionenqueue_block_editor_assetsincludes\Plugin.php:146
actionadmin_bar_menuincludes\Plugin.php:147
actionupgrader_process_completeincludes\Plugin.php:150
actioninitincludes\Plugin.php:163
actioninitincludes\Plugin.php:164
actionblock_categories_allincludes\Plugin.php:165
actionrest_api_initincludes\Plugin.php:175
actionrest_api_initincludes\Plugin.php:177
actionrest_api_initincludes\Plugin.php:179
actionrest_api_initincludes\Plugin.php:181
actionrest_api_initincludes\Plugin.php:183
actionrest_api_initincludes\Plugin.php:185
actionformello_retrieve_newsincludes\Plugin.php:191
actionformello_delete_logsincludes\Plugin.php:192
actionformello_delete_tmpincludes\Plugin.php:193
filtercron_schedulesincludes\Utils\functions.php:348
filteroption_formelloincludes\Utils\functions.php:349
filterpre_update_option_formelloincludes\Utils\functions.php:350
filterallowed_block_types_allincludes\Utils\functions.php:351
filterupload_mimesincludes\Utils\functions.php:352
actionrest_api_initincludes\Utils\functions.php:353
actionload-edit.phpincludes\Utils\functions.php:354
actioninitincludes\Utils\register-cpt.php:150
actioninitincludes\Utils\register-cpt.php:151
actionrest_api_initincludes\Utils\register-settings.php:216
actionadmin_initincludes\Utils\register-settings.php:217
filterrest_pre_echo_responseincludes\Utils\templates.php:53

Scheduled Events 3

formello_retrieve_news
formello_delete_logs
formello_delete_tmp
Maintenance & Trust

Contact form builder for Gutenberg – Formello Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedMay 29, 2025
PHP min version7.0
Downloads10K

Community Trust

Rating100/100
Number of ratings5
Active installs60
Alternatives

Contact form builder for Gutenberg – Formello Alternatives

Gutenberg Forms Add-on for MailPoet

Gutenberg Forms Add-on for MailPoet

guten-forms-mailpoet

A
85

MailPoet add-on for Gutenberg Forms. Connect with MailPoet and send leads/subscribers to your MailPoet list with the form submissions.

100 No CVEs
Nelio Forms

Nelio Forms

nelio-forms

A
100

An intuitive form builder based on open WordPress technologies

60 No CVEs
Gutenberg Forms Add-on for Akismet

Gutenberg Forms Add-on for Akismet

guten-forms-akismet

A
85

Akismet add-on for Gutenberg Forms. Connect with Akismet and protect your form submissions against spam via their global database of spam.

50 No CVEs
RioForms – Drag & Drop Contact Form Builder

RioForms – Drag & Drop Contact Form Builder

rioforms

A
100

Create stunning, responsive forms in minutes with the next-gen WordPress drag-and-drop contact form builder plugin.

0 No CVEs
SiteOrigin Widgets Bundle

SiteOrigin Widgets Bundle

so-widgets-bundle

A
95

Essential elements for modern websites. Add buttons, sliders, heroes, maps, images, carousels, features, icons, more. Create dynamic pages easily.

400K 11 CVEs
Developer Profile

Contact form builder for Gutenberg – Formello Developer Profile

tropicalista

5 plugins · 13K total installs

93
trust score
Avg Security Score
98/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Contact form builder for Gutenberg – Formello

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/formello/build/style-admin.css/wp-content/plugins/formello/build/admin.js/wp-content/plugins/formello/build/form-settings.js
Script Paths
/wp-content/plugins/formello/build/admin.js/wp-content/plugins/formello/build/form-settings.js
Version Parameters
formello/build/style-admin.css?ver=formello/build/admin.js?ver=formello/build/form-settings.js?ver=

HTML / DOM Fingerprints

CSS Classes
formello-admin-app
Data Attributes
data-formello-form-iddata-formello-entries-urldata-formello-submit-url
JS Globals
formello
REST Endpoints
/wp-json/formello/v1/settings/wp-json/formello/v1/new-form/wp-json/formello/v1/form-settings/wp-json/formello/v1/submit/wp-json/formello/v1/upload
Shortcode Output
[formello_form
FAQ

Frequently Asked Questions about Contact form builder for Gutenberg – Formello