WP-Safety

Formit – The Ultimate drag and drop WordPress Form Builder Security & Risk Analysis

wordpress.org/plugins/formit

Easily design a dynamic WordPress form Builder using Formit, the top drag-and-drop form builder for contact, and more.

0 active installs v2.1.4 PHP 7.4+ WP 6.0+ Updated Jun 14, 2024
contact-formcontact-form-plugincustom-form-builderdrag-and-drop-formswordpress-form-builder
92
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Formit – The Ultimate drag and drop WordPress Form Builder Safe to Use in 2026?

Generally Safe

Score 92/100

Formit – The Ultimate drag and drop WordPress Form Builder has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago
Risk Assessment

The FormIt v2.1.4 plugin exhibits a generally strong security posture, with excellent practices observed in SQL query handling and output escaping, both of which are 100% compliant with best practices. The absence of known CVEs and a clean vulnerability history are positive indicators. However, there are notable areas for improvement, particularly concerning the plugin's attack surface. The presence of four AJAX handlers without authentication checks represents a significant risk, as these could potentially be exploited by unauthenticated users. Additionally, the taint analysis revealed two flows with unsanitized paths, which, while not classified as critical or high severity by the analysis, warrant further investigation as they indicate potential pathways for data manipulation or injection if not properly mitigated at the application level. The plugin also demonstrates a good number of nonce and capability checks, but the unprotected entry points are a concern that could be addressed by implementing these checks more consistently across all handlers.

Key Concerns

  • AJAX handlers without auth checks
  • Taint flows with unsanitized paths
Vulnerabilities
None known

Formit – The Ultimate drag and drop WordPress Form Builder Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Formit – The Ultimate drag and drop WordPress Form Builder Release Timeline

v2.1.4Current
v2.1.3
Code Analysis
Analyzed Apr 16, 2026

Formit – The Ultimate drag and drop WordPress Form Builder Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
61 prepared
Unescaped Output
1
614 escaped
Nonce Checks
14
Capability Checks
7
File Operations
1
External Requests
0
Bundled Libraries
1

Bundled Libraries

TinyMCE

SQL Query Safety

100% prepared61 total queries

Output Escaping

100% escaped615 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

5 flows2 with unsanitized paths
formit_render_submission_page (inc/Admin/Formit_FormSubmission.php:52)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

Formit – The Ultimate drag and drop WordPress Form Builder Attack Surface

Entry Points20
Unprotected4

AJAX Handlers 19

authwp_ajax_formit_export_csvinc/Admin/Exports/Formit_ExportCsv.php:10
noprivwp_ajax_formit_export_csvinc/Admin/Exports/Formit_ExportCsv.php:11
authwp_ajax_formit_get_submission_detailsinc/Admin/Formit_FormSubmission.php:17
noprivwp_ajax_formit_get_submission_detailsinc/Admin/Formit_FormSubmission.php:18
authwp_ajax_formit_bulk_delete_submissionsinc/Admin/Formit_FormSubmission.php:21
noprivwp_ajax_formit_bulk_delete_submissionsinc/Admin/Formit_FormSubmission.php:22
authwp_ajax_formit_delete_single_submissioninc/Admin/Formit_FormSubmission.php:25
noprivwp_ajax_formit_delete_single_submissioninc/Admin/Formit_FormSubmission.php:26
authwp_ajax_update_items_per_pageinc/Admin/Formit_FormSubmission.php:29
noprivwp_ajax_update_items_per_pageinc/Admin/Formit_FormSubmission.php:30
authwp_ajax_formit_process_form_message_submissioninc/Admin/Formit_FromBuilderHandle.php:28
authwp_ajax_formit_get_wp_pagesinc/Admin/views/Form/Formit_Form.php:8
noprivwp_ajax_formit_get_wp_pagesinc/Admin/views/Form/Formit_Form.php:9
authwp_ajax_formit_from_after_submissioninc/Admin/views/Form/Formit_Form.php:11
noprivwp_ajax_formit_from_after_submissioninc/Admin/views/Form/Formit_Form.php:12
authwp_ajax_formit_form_settings_datainc/Admin/views/Settings/Formit_SettingConfig.php:14
noprivwp_ajax_formit_form_settings_datainc/Admin/views/Settings/Formit_SettingConfig.php:15
authwp_ajax_formit_submit_ajax_functioninc/Formit_Formhandle.php:31
noprivwp_ajax_formit_submit_ajax_functioninc/Formit_Formhandle.php:32

Shortcodes 1

[formit] inc/Frontend/Formit_ShortCode.php:18
WordPress Hooks 40
actioninitformit.php:68
actionplugins_loadedformit.php:71
actionsave_postinc/Admin/Formit_AddMetaBox.php:16
actionadd_meta_boxesinc/Admin/Formit_AddMetaBox.php:22
actionsave_postinc/Admin/Formit_AddMetaBox.php:28
filterpost_updated_messagesinc/Admin/Formit_AddMetaBox.php:34
actionwp_trash_postinc/Admin/Formit_AddMetaBox.php:40
actionadmin_enqueue_scriptsinc/Admin/Formit_AdminEnqueue.php:8
actionadmin_enqueue_scriptsinc/Admin/Formit_AdminEnqueue.php:9
actionadmin_enqueue_scriptsinc/Admin/Formit_AdminEnqueue.php:10
actioninitinc/Admin/Formit_CustomPost.php:13
actionadmin_menuinc/Admin/Formit_FormSubmission.php:14
filterget_sample_permalink_htmlinc/Admin/Formit_Hook.php:14
filterpost_row_actionsinc/Admin/Formit_Hook.php:19
filtermanage_formit_posts_columnsinc/Admin/Formit_Hook.php:24
actionmanage_formit_posts_custom_columninc/Admin/Formit_Hook.php:29
filtermanage_formit_posts_columnsinc/Admin/Formit_Hook.php:35
filtermanage_formit_posts_columnsinc/Admin/Formit_Hook.php:41
actionmanage_formit_posts_custom_columninc/Admin/Formit_Hook.php:47
actionmanage_formit_posts_custom_columninc/Admin/Formit_Hook.php:53
filtermanage_formit_posts_columnsinc/Admin/Formit_Hook.php:59
actionadmin_enqueue_scriptsinc/Admin/Formit_Hook.php:67
filterenter_title_hereinc/Admin/Formit_Hook.php:73
actionadd_meta_boxesinc/Admin/Formit_Hook.php:79
actionadd_meta_boxesinc/Admin/Formit_Hook.php:85
filterscreen_options_show_screeninc/Admin/Formit_Hook.php:91
actioncurrent_screeninc/Admin/Formit_Hook.php:103
filterscreen_options_show_screeninc/Admin/Formit_Hook.php:287
actionadmin_noticesinc/Admin/Formit_Notice.php:8
actionadmin_menuinc/Admin/views/Docs/Formit_Docs.php:9
actionadmin_menuinc/Admin/views/Settings/Formit_Settings.php:7
actionrest_api_initinc/Formit_API.php:7
actionadmin_headinc/Formit_GlobalFunctions.php:26
actionelementor/widgets/widgets_registeredinc/Formit_GlobalFunctions.php:32
actionwp_enqueue_scriptsinc/Frontend/Formit_FrontendEnqueue.php:12
actioninitinc/Widgets/Block/Formit_GutenbergWidget.php:10
actionwp_dashboard_setupinc/Widgets/Formit_DashboardBlogWidget.php:10
actionadmin_enqueue_scriptsinc/Widgets/Formit_DashboardBlogWidget.php:11
actionwp_dashboard_setupinc/Widgets/Formit_DashboardStatsWidget.php:11
actionadmin_enqueue_scriptsinc/Widgets/Formit_DashboardStatsWidget.php:12
Maintenance & Trust

Formit – The Ultimate drag and drop WordPress Form Builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.5.8
Last updatedJun 14, 2024
PHP min version7.4
Downloads1K

Community Trust

Rating100/100
Number of ratings2
Active installs0
Alternatives

Formit – The Ultimate drag and drop WordPress Form Builder Alternatives

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

A
88

The best WordPress contact form plugin. Drag & Drop form builder to create beautiful contact forms, payment forms, & other custom forms.

6.0M 16 CVEs
Contact Form by Supsystic

Contact Form by Supsystic

contact-form-by-supsystic

B
83

Contact Form Builder with drag-and-drop editor to create responsive, mobile ready contact forms in a second. Custom fields and contact form templates

7K 10 CVEs
Contact Form Query

Contact Form Query

contact-form-query

A
100

Add a contact form and receive new message notifications directly to your WordPress admin and to your email. Search and filter messages.

1K No CVEs
Contact Form Generator : Creative form builder for WordPress

Contact Form Generator : Creative form builder for WordPress

contact-form-generator

A
98

Contact Form Generator is a creative and powerful contact form builder! You will get ready-to-use forms in 5 minutes!

800 3 CVEs
Form Builder CP

Form Builder CP

cp-easy-form-builder

A
98

Form Builder CP is a contact form plugin for creating contact forms with a visual form builder and email them.

300 3 CVEs
Developer Profile

Formit – The Ultimate drag and drop WordPress Form Builder Developer Profile

Themeies

1 plugin · 0 total installs

88
trust score
Avg Security Score
92/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Formit – The Ultimate drag and drop WordPress Form Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/formit/assets/admin/js/form-builder.min.js/wp-content/plugins/formit/assets/admin/js/form-render.min.js/wp-content/plugins/formit/assets/admin/js/formit-admin-scripts.js/wp-content/plugins/formit/assets/admin/css/formit-admin-style.css/wp-content/plugins/formit/assets/admin/css/formit_form-builder-css.css
Script Paths
/wp-content/plugins/formit/assets/admin/js/form-builder.min.js/wp-content/plugins/formit/assets/admin/js/form-render.min.js/wp-content/plugins/formit/assets/admin/js/formit-admin-scripts.js
Version Parameters
formit/assets/admin/js/form-builder.min.js?ver=formit/assets/admin/js/form-render.min.js?ver=formit/assets/admin/js/formit-admin-scripts.js?ver=

HTML / DOM Fingerprints

CSS Classes
formit-form-builder
HTML Comments
<!-- Script Data -->
JS Globals
formit_scripts_localizeformit_ajax_localize
FAQ

Frequently Asked Questions about Formit – The Ultimate drag and drop WordPress Form Builder