Does Formzu WP have any unpatched vulnerabilities?

No. All known vulnerabilities in Formzu WP have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Formzu WP compatible with WordPress 6.8.5?

According to WordPress.org data, Formzu WP 1.6.11 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Formzu WP compatible with PHP 5.2+?

Formzu WP requires PHP 5.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Formzu WP updated?

Formzu WP was last updated on Sep 12, 2025. Frequent updates are generally a positive security signal.

What is Formzu WP's security score?

Formzu WP has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Formzu WP Security & Risk Analysis

wordpress.org/plugins/formzu-wp

メールフォーム無料作成サービス「フォームズ」のSSL通信フォームを簡単に設置できます。

3K active installs v1.6.11 PHP 5.2+ WP 3.7+ Updated Sep 12, 2025

%e3%83%95%e3%82%a9%e3%83%bc%e3%83%a0%e3%83%a1%e3%83%bc%e3%83%ab%e3%83%95%e3%82%a9%e3%83%bc%e3%83%a0contact-formformformzu

A · Safe

CVEs total2

Unpatched0

Last CVEJan 19, 2024

Plugin page Download

Safety Verdict

Is Formzu WP Safe to Use in 2026?

Generally Safe

Score 99/100

Formzu WP has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Jan 19, 2024Updated 6mo ago

Risk Assessment

The "formzu-wp" plugin v1.6.11 presents a mixed security posture. On the positive side, it utilizes prepared statements for all SQL queries and includes a reasonable number of nonce and capability checks. However, the presence of an unprotected AJAX handler significantly increases the attack surface, making it a primary concern. The taint analysis reveals flows with unsanitized paths, indicating potential for vulnerabilities if these flows are not handled carefully, although no critical or high severity issues were flagged in the static analysis. The plugin's vulnerability history shows two medium severity CVEs, both of which are now patched. The common vulnerability type being Cross-site Scripting is a recurring pattern. Overall, while the plugin demonstrates some good security practices, the unprotected AJAX endpoint and history of XSS vulnerabilities warrant caution and ongoing monitoring.

Key Concerns

Unprotected AJAX handler
Significant percentage of unescaped output
Taint analysis shows unsanitized paths
History of medium severity XSS vulnerabilities

Vulnerabilities

Formzu WP Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2024-22310medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Formzu WP <= 1.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 19, 2024 Patched in 1.6.8 (6d)

CVE-2023-49160medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Formzu WP <= 1.6.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via id

Nov 28, 2023 Patched in 1.6.7 (56d)

Code Analysis

Analyzed Mar 16, 2026

Formzu WP Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

33 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

43% escaped77 total outputs

Data Flows

4 unsanitized

Data Flow Analysis

6 flows4 with unsanitized paths

echo_formzu_list_body (includes\formzu\admin-views.php:187)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

Formzu WP Attack Surface

Entry Points2

Unprotected1

AJAX Handlers 1

authwp_ajax_get_iframe_heightclasses\action-hooks.php:64

Shortcodes 1

[formzu] classes\action-hooks.php:51

WordPress Hooks 27

actionadmin_enqueue_scriptsclasses\action-hooks.php:43

actionwidgets_initclasses\action-hooks.php:53

actionformzu_loaded_menuclasses\action-hooks.php:61

actionadmin_menuclasses\action-hooks.php:62

actionadmin_enqueue_scriptsclasses\action-hooks.php:63

actionwp_enqueue_scriptsclasses\action-hooks.php:74

actionadmin_initclasses\action-hooks.php:86

actionadmin_initclasses\action-hooks.php:87

actionadmin_footerclasses\action-hooks.php:88

actionadmin_noticesclasses\action-hooks.php:89

actionadmin_enqueue_scriptsclasses\action-hooks.php:90

actionadmin_enqueue_scriptsclasses\action-hooks.php:99

actionadmin_footerclasses\action-hooks.php:107

actionwidgets_initclasses\action-hooks.php:109

actionadmin_enqueue_scriptsclasses\action-hooks.php:111

actionadmin_noticesclasses\action-hooks.php:112

actionload-nav-menus.phpclasses\action-hooks.php:120

actionadmin_enqueue_scriptsclasses\action-hooks.php:121

filterwp_setup_nav_menu_itemclasses\action-hooks.php:123

actioninitclasses\action-hooks.php:124

actionadmin_enqueue_scriptsclasses\action-hooks.php:130

actionadmin_enqueue_scriptsclasses\action-hooks.php:133

actionplugins_loadedformzu-wp.php:34

actionplugins_loadedformzu-wp.php:47

actionadmin_print_footer_scriptsincludes\introduce-tour.php:98

actionsave_postincludes\navmenu\formzu-nav-menu-item-fields.php:21

actionadmin_footerincludes\navmenu\setup_formzu_link_navmenu.php:14

Maintenance & Trust

Formzu WP Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedSep 12, 2025

PHP min version5.2

Downloads46K

Community Trust

Rating0/100

Number of ratings0

Active installs3K

Alternatives

Formzu WP Alternatives

Contact Form 7

contact-form-7

Just another contact form plugin. Simple but flexible.

10.0M 8 CVEs

Akismet Anti-spam: Spam Protection

akismet

The best anti-spam protection to block spam comments and spam in a contact form. The most trusted antispam solution for WordPress and WooCommerce.

6.0M 2 CVEs

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

The best WordPress contact form plugin. Drag & Drop form builder to create beautiful contact forms, payment forms, & other custom forms.

6.0M 14 CVEs

Database Addon for Contact Form 7 – CFDB7

contact-form-cfdb7

Save and manage Contact Form 7 messages. Never lose important data. It is a lightweight contact form 7 database plugin.

600K 7 CVEs

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

fluentform

Get a fast contact form plugin. Create advanced forms using drag and drop form builder with all smart features.

600K 27 CVEs

Developer Profile

Formzu WP Developer Profile

ogasawat

1 plugin · 3K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

31 days

View full developer profile

Detection Fingerprints

How We Detect Formzu WP

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/formzu-wp/js/formzu.js/wp-content/plugins/formzu-wp/css/formzu.css/wp-content/plugins/formzu-wp/includes/js/formzu-navmenu.js/wp-content/plugins/formzu-wp/includes/js/formzu-tour.js/wp-content/plugins/formzu-wp/admin/js/formzu-admin.js/wp-content/plugins/formzu-wp/admin/js/formzu-widgetmenu.js/wp-content/plugins/formzu-wp/admin/js/formzu-howtouse.js/wp-content/plugins/formzu-wp/admin/js/formzu-create.js+1 more

Script Paths

https://ws.formzu.net/dist/formzu.js

Version Parameters

formzu-wp/js/formzu.js?ver=formzu-wp/css/formzu.css?ver=formzu-wp/includes/js/formzu-navmenu.js?ver=formzu-wp/includes/js/formzu-tour.js?ver=formzu-wp/admin/js/formzu-admin.js?ver=formzu-wp/admin/js/formzu-widgetmenu.js?ver=formzu-wp/admin/js/formzu-howtouse.js?ver=formzu-wp/admin/js/formzu-create.js?ver=formzu-wp/admin/js/formzu-form.js?ver=

HTML / DOM Fingerprints

CSS Classes

formzu-form-wrap

HTML Comments

Data Attributes

data-formzu-id

JS Globals

formzu_navmenu_paramsformzu_navmenu_nonce_field

Shortcode Output

[formzu]

FAQ