Does Formidable PRO2PDF have any unpatched vulnerabilities?

No. All known vulnerabilities in Formidable PRO2PDF have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Formidable PRO2PDF compatible with WordPress 6.8.5?

According to WordPress.org data, Formidable PRO2PDF 3.23 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

How often is Formidable PRO2PDF updated?

Formidable PRO2PDF was last updated on Sep 8, 2025. Frequent updates are generally a positive security signal.

What is Formidable PRO2PDF's security score?

Formidable PRO2PDF has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Formidable PRO2PDF Security & Risk Analysis

wordpress.org/plugins/formidablepro-2-pdf

Map web forms to PDF forms then with one simple shortcode - display a link on any post, page, form, or view the merged PDF on a PC or mobile device.

1K active installs v3.23 PHP + WP 3.0.1+ Updated Sep 8, 2025

fpro2pdfgenerationpdfpdftkpro2pdf

A · Safe

CVEs total1

Unpatched0

Last CVEDec 23, 2022

Plugin page Download

Safety Verdict

Is Formidable PRO2PDF Safe to Use in 2026?

Generally Safe

Score 99/100

Formidable PRO2PDF has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Dec 23, 2022Updated 6mo ago

Risk Assessment

The "formidablepro-2-pdf" v3.23 plugin exhibits a mixed security posture. While it has a relatively small attack surface with all identified entry points secured by authentication checks, the static analysis reveals several concerning code signals. The presence of 46 dangerous functions, including `unserialize`, `shell_exec`, and `passthru`, is a significant red flag, indicating potential for severe vulnerabilities if not handled with extreme care. Furthermore, the taint analysis shows 12 flows with unsanitized paths and 6 high-severity issues, suggesting that user-supplied data might be processed in an insecure manner, potentially leading to code execution or other compromises.

The plugin's vulnerability history, while currently showing no unpatched CVEs, does include a past high-severity SQL injection vulnerability. This history, coupled with the static analysis findings, suggests a pattern where input sanitization and secure function usage might be inconsistent. While the majority of SQL queries use prepared statements and most outputs are escaped, the critical taint flows and presence of dangerous functions point to areas where these good practices may be overlooked.

In conclusion, "formidablepro-2-pdf" v3.23 has strengths in its secured entry points and a recent lack of unpatched vulnerabilities. However, the significant number of dangerous functions, high-severity taint flows with unsanitized paths, and past SQL injection history collectively present a notable risk. Developers should prioritize a thorough audit of how user input interacts with dangerous functions and ensure robust sanitization across all data flows.

Key Concerns

High severity taint flows
Unsanitized paths in taint flows
Dangerous functions (unserialize, shell_exec, passthru)
Past high severity CVE (SQL Injection)

Vulnerabilities

Formidable PRO2PDF Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

Patched Has unpatched

Severity Breakdown

High

1 total CVE

CVE-2023-28663high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Formidable PRO2PDF <= 3.09 - Authenticated (Admin+) SQL Injection

Dec 23, 2022 Patched in 3.10 (396d)

Code Analysis

Analyzed Mar 16, 2026

Formidable PRO2PDF Code Analysis

Dangerous Functions

Raw SQL Queries

82 prepared

Unescaped Output

215 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$data = @unserialize($data);backups.php:179

unserialize$formats = @unserialize($formats);backups.php:180

unserialize<td><?php echo @count(@unserialize($file['data']['data']['data'])); ?></td>backups.php:398

shell_exec$debug[] = function_exists('shell_exec') && is_callable('shell_exec') ? str_replace(array("\n", "\r"debug.php:66

shell_exec$debug[] = 'PDFTK: ' . fpropdf_print(function_exists('shell_exec') && is_callable('shell_exec') && sdebug.php:68

shell_exec$debug[] = 'ImageMagick: ' . fpropdf_print(function_exists('shell_exec') && is_callable('shell_exec'debug.php:69

unserialize$field_options = @unserialize($row2['field_options']);format.php:156

unserialize$_tmp = @unserialize($v);format.php:158

unserialize$opts = @unserialize($row2['options']);format.php:305

unserialize$v = @unserialize($v);format.php:346

unserialize$v = @unserialize($v);format.php:419

unserialize$_tmp = @unserialize($val_label);format.php:446

unserialize$opts = @unserialize($row2['options']);format.php:460

unserialize$_tmp = @unserialize($val_label);format.php:464

unserialize$opts = @unserialize($row2['options']);format.php:471

unserialize$_tmp = @unserialize($val);format.php:472

unserialize$_tmp = @unserialize($val);format.php:498

unserialize$_tmp = @unserialize($val);format.php:504

unserialize$field_options = @unserialize($row2['field_options']);format.php:511

unserialize$_tmp = @unserialize($val);format.php:513

unserialize$_tmp = @unserialize($val);format.php:532

unserialize$v = @unserialize($v);format.php:712

unserialize$v = @unserialize($v);format.php:744

unserialize$field_options = @unserialize($data['field_options']);fpropdf.php:586

unserialize$files = @unserialize($row['value']);fpropdf.php:604

unserialize$description_data = isset($row['description']) && $row['description'] ? @unserialize($row['descriptifpropdf.php:670

unserialize$fpropdfSignatures = unserialize($tmpFDF['signatures']);fpropdf.php:1149

unserialize$formats = @unserialize($result['formats']);fpropdf.php:1828

unserialize$data = isset($result['data']) ? unserialize($result['data']) : array();fpropdf.php:1833

unserialize$assocData = @unserialize($data['data']);fpropdf.php:1997

unserializeforeach (unserialize($layout['data']) as $values) {fpropdf.php:2186

unserialize$description_data = @unserialize($entry->description);fpropdf.php:2216

shell_execshell_exec('which pdftk')fpropdf.php:2349

shell_exec$fields_data = shell_exec('pdftk ' . escapeshellarg($file) . ' dump_data_fields_utf8 2> /dev/null');fpropdf.php:2351

unserialize$field_options = @unserialize($row->field_options);fpropdf.php:2419

unserialize$_opts = @unserialize($row->options);fpropdf.php:2436

unserialize$data = @unserialize($data);fpropdf.php:2448

shell_execshell_exec('which pdftk')generate-pdf.php:181

shell_execshell_exec("pdftk " . escapeshellarg($desired) . " fill_form " . escapeshellarg($actual) . " output generate-pdf.php:185

passthrupassthru($command);generate-pdf.php:192

shell_execif ($real_flatten && shell_exec('which convert')) {generate-pdf.php:195

shell_execshell_exec('convert -background white -alpha remove -density 300 ' . escapeshellarg($tmpPdf) . ' ' .generate-pdf.php:201

shell_execshell_exec('convert ' . escapeshellarg($fileTmp) . ' ' . escapeshellarg($fileTmp . '.pdf'));generate-pdf.php:218

shell_exec$buffer = shell_exec('pdftk ' . implode(' ', $filesTmp) . ' cat output - ');generate-pdf.php:222

shell_exec$data = shell_exec('pdftk ' . escapeshellarg($tmpPdf) . ' output - ' . $encrypt);generate-pdf.php:228

shell_exec$debug = shell_exec("$command 2>&1");generate-pdf.php:418

SQL Query Safety

62% prepared133 total queries

Output Escaping

86% escaped251 total outputs

Data Flows

12 unsanitized

Data Flow Analysis

15 flows12 with unsanitized paths

wpfx_killlayout (fpropdf.php:2528)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Formidable PRO2PDF Attack Surface

Entry Points14

Unprotected0

AJAX Handlers 10

authwp_ajax_wpfx_get_datasetfpropdf.php:2606

authwp_ajax_wpfx_get_layoutfpropdf.php:2607

authwp_ajax_wpfx_del_layoutfpropdf.php:2608

authwp_ajax_wpfx_dup_layoutfpropdf.php:2609

authwp_ajax_fpropdf_remove_pdffpropdf.php:2610

authwp_ajax_wpfx_generatefpropdf.php:2613

noprivwp_ajax_wpfx_generatefpropdf.php:2614

authwp_ajax_wpfx_preview_pdffpropdf.php:2638

noprivwp_ajax_wpfx_preview_pdffpropdf.php:2639

authwp_ajax_fpropdf_export_filetemplates.php:26

Shortcodes 4

[formidable-download] formidable-shortcode.php:132

[formidable-download-in-list] formidable-shortcode.php:142

[formidable-pdf-key] formidable-shortcode.php:149

[fpro2pdf-date] formidable-shortcode.php:158

WordPress Hooks 17

filterfrm_match_xml_formbackups.php:46

actionadmin_enqueue_scriptsformidable-shortcode.php:28

actionwp_enqueue_scriptsformidable-shortcode.php:36

actionadmin_headfpropdf.php:163

actioninitfpropdf.php:237

filterpre_set_site_transient_update_pluginsfpropdf.php:276

actioninstall_plugins_pre_plugin-informationfpropdf.php:310

filterfpropdf_wpfx_extract_fieldsfpropdf.php:842

actionadmin_initfpropdf.php:2600

actionadmin_menufpropdf.php:2603

actionfrm_after_create_entryfpropdf.php:2656

filterfrm_notification_attachmentfpropdf.php:2707

filterfrm_importing_xmlfpropdf.php:2798

actionfrm_notificationfpropdf.php:2840

actionfrm_after_create_entrysettings.php:27

filterfrm_pre_create_entrysettings.php:41

actionadmin_initsettings.php:45

Maintenance & Trust

Formidable PRO2PDF Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedSep 8, 2025

PHP min version

Downloads96K

Community Trust

Rating94/100

Number of ratings16

Active installs1K

Alternatives

Formidable PRO2PDF Alternatives

Simple PDF bar

simple-pdf-bar

Adds a lead generation bar to the top or bottom of your pdf documents

10 No CVEs

Document Download Manager

document-download-manager

100

Manage Excel and PDF document downloads with user information collection via popup form.

0 No CVEs

Hostinger Reach – AI-Powered Email Marketing for WordPress

hostinger-reach

100

Launch and grow your email marketing effortlessly with Hostinger Reach. Collect contacts, sync subscribers, and send emails – all in one, AI powered.

1.0M No CVEs

PDF Embedder

pdf-embedder

100

Seamlessly embed PDFs into your content, with customizations and intelligent responsive resizing, and no third-party services or iframes.

300K 1 CVE

PDF Invoices & Packing Slips for WooCommerce

woocommerce-pdf-invoices-packing-slips

Create, print & automatically email PDF or XML Invoices & PDF Packing Slips for WooCommerce orders.

300K 12 CVEs

Developer Profile

Formidable PRO2PDF Developer Profile

alexandre67fr

1 plugin · 1K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

396 days

View full developer profile

Detection Fingerprints

How We Detect Formidable PRO2PDF

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/formidablepro-2-pdf/assets/css/backend.css/wp-content/plugins/formidablepro-2-pdf/assets/css/frontend.css/wp-content/plugins/formidablepro-2-pdf/assets/js/backend.js/wp-content/plugins/formidablepro-2-pdf/assets/js/frontend.js

Generator Patterns

Formidable PRO2PDF v3.23

Script Paths

/wp-content/plugins/formidablepro-2-pdf/assets/js/backend.js/wp-content/plugins/formidablepro-2-pdf/assets/js/frontend.js

Version Parameters

formidablepro-2-pdf/assets/css/backend.css?ver=formidablepro-2-pdf/assets/css/frontend.css?ver=formidablepro-2-pdf/assets/js/backend.js?ver=formidablepro-2-pdf/assets/js/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes

fpropdf-admin-css

HTML Comments

Data Attributes

data-fpropdf-formdata-fpropdf-field-iddata-fpropdf-field-typedata-fpropdf-entry-id

JS Globals

window.fpropdfAdditionalFormatting

FAQ