WP-Safety

Forms Security & Risk Analysis

wordpress.org/plugins/forms-by-made-it

Build easy and flexible forms with Forms.

100 active installs v2.9.0 PHP 8.0+ WP 5.0+ Updated Apr 14, 2025
contactcontact-formemailfeedbackform
58
C · Use Caution
CVEs total3
Unpatched1
Last CVEAug 13, 2025
Plugin page Download
Safety Verdict

Is Forms Safe to Use in 2026?

Use With Caution

Score 58/100

Forms has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

3 known CVEs 1 unpatched Last CVE: Aug 13, 2025Updated 1yr ago
Risk Assessment

The "forms-by-made-it" plugin version 2.9.0 presents a mixed security posture. While it demonstrates good practices in output escaping, with 84% of outputs properly handled, and avoids the use of dangerous functions, several significant concerns arise from the analysis. The presence of 3 unprotected AJAX handlers and 2 taint flows classified as high severity indicate potential avenues for attack where user input might not be adequately validated or sanitized, leading to vulnerabilities like cross-site scripting or unauthorized actions. The plugin's vulnerability history is also a notable concern, with 3 known CVEs, including one critical and one high severity vulnerability, and critically, one unpatched vulnerability. The nature of past vulnerabilities, specifically "Unrestricted Upload of File with Dangerous Type" and "Cross-site Scripting," aligns with the identified taint flow issues, suggesting a recurring pattern of input handling weaknesses. The high number of SQL queries without prepared statements (0%) is another critical oversight that exposes the application to SQL injection risks. Despite the plugin's strengths in output escaping and absence of inherently dangerous functions, the combination of unprotected entry points, high-severity taint flows, a history of critical and high vulnerabilities, and a significant lack of SQL statement preparation points to a substantial risk that requires immediate attention and mitigation.

Key Concerns

  • Unpatched CVE exists
  • High severity taint flows found
  • Critical severity taint flows found
  • SQL queries without prepared statements
  • Unprotected AJAX handlers
  • Unprotected entry points
  • Vulnerability history (multiple CVEs, critical/high)
  • Bundled library (Guzzle)
Vulnerabilities
3 published

Forms Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2024
2024
1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Critical
1
High
1
Medium
1

3 total CVEs

CVE-2025-24775high · 8.8Unrestricted Upload of File with Dangerous Type

Forms <= 2.9.0 - Authenticated (Contributor+) Arbitrary File Upload

Aug 13, 2025Unpatched
CVE-2024-51791critical · 9.8Unrestricted Upload of File with Dangerous Type

Forms <= 2.8.0 - Unauthenticated Arbitrary File Upload

Nov 8, 2024 Patched in 2.8.1 (6d)
CVE-2021-24505medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Forms <= 1.12.2 - Authenticated Stored Cross-Site Scripting

Jul 3, 2021 Patched in 1.12.3 (934d)
Version History

Forms Release Timeline

v2.9.0Current1 CVE
CVE-2025-24775
v2.8.21 CVE
CVE-2025-24775
v2.8.11 CVE
CVE-2025-24775
v2.7.02 CVEs
CVE-2024-51791 CVE-2025-24775
v2.5.12 CVEs
CVE-2024-51791 CVE-2025-24775
v2.5.02 CVEs
CVE-2024-51791 CVE-2025-24775
v2.4.02 CVEs
CVE-2024-51791 CVE-2025-24775
v2.3.02 CVEs
CVE-2024-51791 CVE-2025-24775
v2.2.02 CVEs
CVE-2024-51791 CVE-2025-24775
v2.1.02 CVEs
CVE-2024-51791 CVE-2025-24775
v2.0.22 CVEs
CVE-2024-51791 CVE-2025-24775
v2.0.12 CVEs
CVE-2024-51791 CVE-2025-24775
v1.12.52 CVEs
CVE-2024-51791 CVE-2025-24775
v1.12.42 CVEs
CVE-2024-51791 CVE-2025-24775
v1.12.32 CVEs
CVE-2024-51791 CVE-2025-24775
v1.12.23 CVEs
CVE-2024-51791 CVE-2025-24775 CVE-2021-24505
v1.12.13 CVEs
CVE-2024-51791 CVE-2025-24775 CVE-2021-24505
v1.12.03 CVEs
CVE-2024-51791 CVE-2025-24775 CVE-2021-24505
v1.11.13 CVEs
CVE-2024-51791 CVE-2025-24775 CVE-2021-24505
v1.11.03 CVEs
CVE-2024-51791 CVE-2025-24775 CVE-2021-24505
Code Analysis
Analyzed Mar 16, 2026

Forms Code Analysis

Dangerous Functions
0
Raw SQL Queries
2
0 prepared
Unescaped Output
116
616 escaped
Nonce Checks
3
Capability Checks
1
File Operations
8
External Requests
6
Bundled Libraries
1

Bundled Libraries

Guzzle

SQL Query Safety

0% prepared2 total queries

Output Escaping

84% escaped732 total outputs
Data Flows · Security
6 unsanitized

Data Flow Analysis

17 flows6 with unsanitized paths
renderForm (front\WP_Form_front.php:468)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

Forms Attack Surface

Entry Points15
Unprotected3

AJAX Handlers 3

authwp_ajax_ma_forms_resend_mailadmin\WP_MADEIT_FORM_admin.php:1201
authwp_ajax_madeit_forms_submitfront\WP_Form_front.php:915
noprivwp_ajax_madeit_forms_submitfront\WP_Form_front.php:916

Shortcodes 12

[form] front\WP_Form_front.php:43
[checkbox] modules\Checkbox.php:121
[number] modules\Number.php:189
[range] modules\Number.php:190
[radio] modules\Radio.php:116
[select] modules\Select.php:132
[submit] modules\Submit.php:136
[text] modules\Text.php:270
[email] modules\Text.php:271
[url] modules\Text.php:272
[tel] modules\Text.php:273
[textarea] modules\Textarea.php:113
WordPress Hooks 58
filterwp_mail_fromactions\Email.php:37
filterwp_mail_from_nameactions\Email.php:38
filterwp_mail_content_typeactions\Email.php:39
filtermadeit_forms_actionsactions\WP_MADEIT_FORM_Action.php:44
actionin_admin_footeradmin\WP_MADEIT_FORM_admin.php:1050
actionadmin_initadmin\WP_MADEIT_FORM_admin.php:1161
actionadmin_menuadmin\WP_MADEIT_FORM_admin.php:1162
actionadmin_enqueue_scriptsadmin\WP_MADEIT_FORM_admin.php:1163
actioninitadmin\WP_MADEIT_FORM_admin.php:1165
actionadmin_footeradmin\WP_MADEIT_FORM_admin.php:1166
filtermanage_edit-ma_forms_columnsadmin\WP_MADEIT_FORM_admin.php:1168
actionmanage_ma_forms_posts_custom_columnadmin\WP_MADEIT_FORM_admin.php:1169
filtermanage_edit-ma_form_inputs_columnsadmin\WP_MADEIT_FORM_admin.php:1171
actionmanage_ma_form_inputs_posts_custom_columnadmin\WP_MADEIT_FORM_admin.php:1172
actionedit_form_after_titleadmin\WP_MADEIT_FORM_admin.php:1174
actionedit_form_advancedadmin\WP_MADEIT_FORM_admin.php:1175
actionsubmitpost_boxadmin\WP_MADEIT_FORM_admin.php:1176
actionsave_post_ma_formsadmin\WP_MADEIT_FORM_admin.php:1178
actionsave_postadmin\WP_MADEIT_FORM_admin.php:1179
actionadd_meta_boxesadmin\WP_MADEIT_FORM_admin.php:1180
actionadmin_menuadmin\WP_MADEIT_FORM_admin.php:1182
actionload-edit.phpadmin\WP_MADEIT_FORM_admin.php:1184
filtergutenberg_can_edit_post_typeadmin\WP_MADEIT_FORM_admin.php:1186
filteruse_block_editor_for_post_typeadmin\WP_MADEIT_FORM_admin.php:1187
actioninitadmin\WP_MADEIT_FORM_admin.php:1188
filterallowed_block_types_alladmin\WP_MADEIT_FORM_admin.php:1190
filterbulk_actions-edit-ma_form_inputsadmin\WP_MADEIT_FORM_admin.php:1192
filterhandle_bulk_actions-edit-ma_form_inputsadmin\WP_MADEIT_FORM_admin.php:1193
actionadmin_noticesadmin\WP_MADEIT_FORM_admin.php:1195
actionrestrict_manage_postsadmin\WP_MADEIT_FORM_admin.php:1197
actionpre_get_postsadmin\WP_MADEIT_FORM_admin.php:1198
actioninitapi\WP_Form_Api.php:225
actioninitDataInit.php:256
actioninitDataInit.php:260
actionadd_meta_boxesDataInit.php:261
filtermanage_edit-ma_forms_columnsDataInit.php:263
filtermanage_edit-ma_form_inputs_columnsDataInit.php:264
filtermadeit_forms_form_idfront\WP_Form_front.php:479
actioninitfront\WP_Form_front.php:912
actioninitfront\WP_Form_front.php:913
actioninitgutenberg\input-field\madeit-forms.php:9
actioninitgutenberg\largeinput-field\madeit-forms.php:9
actioninitgutenberg\multi-value-field\madeit-forms.php:9
actioninitgutenberg\question-seperator\madeit-forms.php:9
actioninitgutenberg\single-radio-value-field\madeit-forms.php:9
actioninitgutenberg\submit-field\madeit-forms.php:9
actioninitgutenberg\upload-field\madeit-forms.php:9
actionplugins_loadedmadeit-form.php:32
actioninitmadeit-form.php:87
filterblock_categories_allmadeit-form.php:101
filtermadeit_forms_modulesmodules\Checkbox.php:118
filtermadeit_forms_modulesmodules\Number.php:186
filtermadeit_forms_modulesmodules\Radio.php:113
filtermadeit_forms_modulesmodules\Select.php:129
filtermadeit_forms_modulesmodules\Submit.php:133
filtermadeit_forms_modulesmodules\Text.php:267
filtermadeit_forms_modulesmodules\Textarea.php:110
filtermadeit_forms_modulesmodules\WP_MADEIT_FORM_Module.php:62
Maintenance & Trust

Forms Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.0
Last updatedApr 14, 2025
PHP min version8.0
Downloads5K

Community Trust

Rating100/100
Number of ratings1
Active installs100
Alternatives

Forms Alternatives

More Mails for CF7

More Mails for CF7

more-mails-for-cf7

A
100

Extends the ubiquitous Contact Form 7 plugin to allow three or more messages.

500 No CVEs
Contact Form 7 Countries

Contact Form 7 Countries

cf7-countries

A
85

Country drop-down menu for Contact Form 7.

400 No CVEs
Contact Form X

Contact Form X

contact-form-x

A
100

Displays a user-friendly contact form that your visitors will love. Lightweight, fast, secure, and accessible (ADA/WCAG compliant).

400 1 CVE
Lite Contact Form

Lite Contact Form

lite-contact-form

A
85

Lightweight and simple contact form with no additional user-unfriendly options. Can be additionally protected against spam by using Akismet and Google &hellip;

100 No CVEs
Nelio Forms

Nelio Forms

nelio-forms

A
100

An intuitive form builder based on open WordPress technologies

60 No CVEs
Developer Profile

Forms Developer Profile

Made I.T.

2 plugins · 110 total installs

59
trust score
Avg Security Score
72/100
Avg Patch Time
470 days
View full developer profile
Detection Fingerprints

How We Detect Forms

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/forms-by-made-it/admin/css/style.css/wp-content/plugins/forms-by-made-it/admin/css/tabs.css/wp-content/plugins/forms-by-made-it/admin/js/script.js/wp-content/plugins/forms-by-made-it/admin/js/tabs.js/wp-content/plugins/forms-by-made-it/front/css/style.css
Script Paths
jquery-ui-corejquery-ui-tabs
Version Parameters
forms-by-made-it/admin/js/script.js?ver=forms-by-made-it/admin/js/tabs.js?ver=

HTML / DOM Fingerprints

CSS Classes
madeit-form-admin-stylemadeit-tabs
Data Attributes
data-form-iddata-element-id
JS Globals
madeit_forms_post_id
REST Endpoints
/wp-json/madeit-form/v1/save/wp-json/madeit-form/v1/get
Shortcode Output
[madeit_form id="[madeit_form_input id="
FAQ

Frequently Asked Questions about Forms