WP-Safety

Advanced Tools for Gravity Forms Security & Risk Analysis

wordpress.org/plugins/gf-tools

Unlock advanced tools and customizations to supercharge your Gravity Forms experience with enhanced features and streamlined management.

30 active installs v1.1.4 PHP 7.4+ WP 5.9+ Updated Jan 21, 2026
merge-tagsreportschedulesearchspam
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Advanced Tools for Gravity Forms Safe to Use in 2026?

Generally Safe

Score 100/100

Advanced Tools for Gravity Forms has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago
Risk Assessment

The "gf-tools" plugin v1.1.5 presents a mixed security posture. While it demonstrates strong adherence to best practices in areas like output escaping (100% proper escaping) and uses prepared statements for a high percentage of its SQL queries (86%), there are notable areas of concern. The presence of 6 unprotected AJAX handlers significantly expands the attack surface, providing potential entry points for unauthorized actions. Furthermore, the taint analysis revealed 6 high-severity flows with unsanitized paths, indicating a risk of data being processed in an unsafe manner, potentially leading to vulnerabilities like Cross-Site Scripting (XSS) or Remote Code Execution (RCE) if not properly handled by subsequent logic. The plugin's vulnerability history is currently clean, with no known CVEs, which is a positive sign. However, the combination of unprotected entry points and high-severity taint flows suggests a potential for undiscovered vulnerabilities. The use of the `unserialize` function twice is also a red flag, as it can be a source of critical security vulnerabilities if the input is not strictly controlled.

Key Concerns

  • Unprotected AJAX handlers
  • High severity unsanitized taint flows
  • Dangerous function: unserialize used
Vulnerabilities
None known

Advanced Tools for Gravity Forms Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Advanced Tools for Gravity Forms Code Analysis

Dangerous Functions
2
Raw SQL Queries
3
18 prepared
Unescaped Output
98
906 escaped
Nonce Checks
27
Capability Checks
8
File Operations
1
External Requests
4
Bundled Libraries
0

Dangerous Functions Found

unserialize$value = implode( ', ', unserialize( $value ) );includes\class-helpers.php:548
unserialize$data = unserialize( $value );includes\class-helpers.php:656

SQL Query Safety

86% prepared21 total queries

Output Escaping

90% escaped1004 total outputs
Data Flows
7 unsanitized

Data Flow Analysis

21 flows7 with unsanitized paths
plugin_page (includes\class-gf-tools.php:224)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
6 unprotected

Advanced Tools for Gravity Forms Attack Surface

Entry Points20
Unprotected6

AJAX Handlers 13

authwp_ajax_get_all_spam_entry_idsincludes\class-dashboard.php:49
noprivwp_ajax_get_all_spam_entry_idsincludes\class-dashboard.php:50
authwp_ajax_delete_spam_entryincludes\class-dashboard.php:51
noprivwp_ajax_delete_spam_entryincludes\class-dashboard.php:52
authwp_ajax_get_object_arrayincludes\class-developers.php:53
noprivwp_ajax_get_object_arrayincludes\class-developers.php:54
authwp_ajax_mark_resolvedincludes\class-mark-resolved.php:66
noprivwp_ajax_mark_resolvedincludes\class-mark-resolved.php:67
authwp_ajax_report_get_form_fieldsincludes\class-reports.php:86
noprivwp_ajax_report_get_form_fieldsincludes\class-reports.php:87
authwp_ajax_gfat_get_entryincludes\class-reports.php:88
authwp_ajax_gfat_generate_api_keyincludes\class-spam.php:81
noprivwp_ajax_gfat_generate_api_keyincludes\class-spam.php:82

Shortcodes 7

[gfat_remove_qs] includes\class-shortcodes.php:27
[gfat_entry_submitted] includes\class-shortcodes.php:30
[gfat_entry_not_submitted] includes\class-shortcodes.php:31
[gfat_qs_value] includes\class-shortcodes.php:34
[gfat_form] includes\class-shortcodes.php:37
[gfat_report] includes\class-shortcodes.php:40
[gfat_export_entries] includes\class-shortcodes.php:43
WordPress Hooks 115
actiongform_loadedgf-tools.php:98
filterplugin_row_metagf-tools.php:126
actiongform_uninstallinggf-tools.php:191
filtergform_confirmation_anchorincludes\class-confirmations.php:19
filtergform_menu_positionincludes\class-customize-gf.php:30
actionadmin_enqueue_scriptsincludes\class-dashboard.php:55
filtergform_toolbar_menuincludes\class-developers.php:50
actionadmin_enqueue_scriptsincludes\class-developers.php:57
filtergform_logging_messageincludes\class-developers.php:62
filtergform_form_settings_fieldsincludes\class-developers.php:66
filtergform_ip_addressincludes\class-entries.php:30
actiongform_after_submissionincludes\class-entries.php:33
filtergform_entry_metaincludes\class-entries.php:36
actiongform_entry_createdincludes\class-entries.php:37
actiongform_entry_createdincludes\class-entries.php:38
filtergform_pre_renderincludes\class-form-display.php:30
filtergform_submit_buttonincludes\class-form-display.php:33
filtergform_next_buttonincludes\class-form-display.php:36
filtergform_previous_buttonincludes\class-form-display.php:37
filtergform_submit_buttonincludes\class-form-display.php:38
filtergform_pre_renderincludes\class-form-display.php:41
filtergform_pre_validationincludes\class-form-display.php:42
filtergform_get_form_filterincludes\class-form-display.php:43
filtergform_review_pageincludes\class-form-display.php:46
filtergform_get_form_filterincludes\class-form-display.php:49
actionwp_enqueue_scriptsincludes\class-form-display.php:52
filtergform_form_not_found_messageincludes\class-form-display.php:135
filtergform_bypass_template_libraryincludes\class-form-editor.php:31
filtergform_disable_ajax_saveincludes\class-form-editor.php:36
actiongform_countriesincludes\class-form-editor.php:41
actiongform_us_statesincludes\class-form-editor.php:46
filtergform_disable_custom_field_names_queryincludes\class-form-editor.php:51
filtergform_enable_password_fieldincludes\class-form-editor.php:56
actiongform_add_field_buttonsincludes\class-form-editor.php:69
filtergform_submit_buttonincludes\class-form-editor.php:74
filtergform_editor_sidebar_panelsincludes\class-form-editor.php:79
actiongform_editor_sidebar_panel_content_gfadvtools_quiz_answersincludes\class-form-editor.php:80
actiongform_field_standard_settingsincludes\class-form-editor.php:88
actiongform_field_appearance_settingsincludes\class-form-editor.php:89
actiongform_field_advanced_settingsincludes\class-form-editor.php:90
filtergform_tooltipsincludes\class-form-editor.php:91
actiongform_editor_jsincludes\class-form-editor.php:92
actiongform_after_save_formincludes\class-forms-table.php:39
filtergform_form_list_columnsincludes\class-forms-table.php:40
actiongform_form_list_column_logincludes\class-forms-table.php:41
actiongform_form_actionsincludes\class-forms-table.php:46
filtergform_disable_view_counterincludes\class-forms-table.php:51
filtergform_form_list_columnsincludes\class-forms-table.php:52
filtergform_form_list_columnsincludes\class-forms-table.php:57
filtergform_form_list_formsincludes\class-forms-table.php:62
actionadmin_enqueue_scriptsincludes\class-forms-table.php:68
actionadmin_enqueue_scriptsincludes\class-gf-tools.php:96
filtergform_export_fieldsincludes\class-import-export.php:29
filtergform_form_export_filenameincludes\class-import-export.php:33
filtergform_include_bom_export_entriesincludes\class-import-export.php:38
filtergform_export_menuincludes\class-import-export.php:44
actiongform_export_page_import_spam_listincludes\class-import-export.php:45
actionadmin_enqueue_scriptsincludes\class-import-export.php:49
filtergform_entry_detail_meta_boxesincludes\class-mark-resolved.php:49
filtergform_entry_metaincludes\class-mark-resolved.php:52
actiongform_entries_field_valueincludes\class-mark-resolved.php:55
actiongform_entries_first_column_actionsincludes\class-mark-resolved.php:58
actiongform_pre_entry_listincludes\class-mark-resolved.php:59
filtergform_entry_list_bulk_actionsincludes\class-mark-resolved.php:62
actiongform_entry_list_actionincludes\class-mark-resolved.php:63
actionadmin_enqueue_scriptsincludes\class-mark-resolved.php:70
filtergform_custom_merge_tagsincludes\class-merge-tags.php:43
filtergform_replace_merge_tagsincludes\class-merge-tags.php:46
filtergform_default_notificationincludes\class-notifications.php:20
filtergform_format_email_toincludes\class-notifications.php:25
filtergform_notification_settings_fieldsincludes\class-notifications.php:29
filtergform_is_valid_notification_toincludes\class-notifications.php:32
filtergform_email_fields_notification_adminincludes\class-notifications.php:35
actionadmin_enqueue_scriptsincludes\class-notifications.php:38
filterdisplay_post_statesincludes\class-pages.php:58
filtermap_meta_capincludes\class-pages.php:61
filtergform_replace_merge_tagsincludes\class-password-reset.php:98
filtergform_field_value_previous_valueincludes\class-populate-fields.php:30
filtergform_field_valueincludes\class-populate-fields.php:31
filtergform_field_valueincludes\class-populate-fields.php:32
filtergform_field_valueincludes\class-populate-fields.php:33
filtergform_pre_renderincludes\class-populate-fields.php:36
filtergform_pre_validationincludes\class-populate-fields.php:37
filtergform_pre_submission_filterincludes\class-populate-fields.php:38
filtergform_admin_pre_renderincludes\class-populate-fields.php:39
filtergform_get_form_filterincludes\class-populate-fields.php:40
filtergform_pre_renderincludes\class-populate-fields.php:43
filtergform_pre_validationincludes\class-populate-fields.php:44
filtergform_pre_submission_filterincludes\class-populate-fields.php:45
filtergform_admin_pre_renderincludes\class-populate-fields.php:46
filtergform_pre_renderincludes\class-populate-fields.php:49
filtergform_pre_validationincludes\class-populate-fields.php:50
filtergform_pre_submission_filterincludes\class-populate-fields.php:51
filtergform_admin_pre_renderincludes\class-populate-fields.php:52
filtergform_user_registration_validationincludes\class-registration.php:52
filterparent_fileincludes\class-reports.php:71
actionadmin_headincludes\class-reports.php:74
actionedit_form_after_titleincludes\class-reports.php:77
actionadd_meta_boxesincludes\class-reports.php:80
actionsave_postincludes\class-reports.php:83
actionadmin_enqueue_scriptsincludes\class-reports.php:91
actionwp_enqueue_scriptsincludes\class-reports.php:94
actionwp_enqueue_scriptsincludes\class-shortcodes.php:51
actionrest_api_initincludes\class-spam.php:78
actionadmin_enqueue_scriptsincludes\class-spam.php:85
filtergform_toolbar_menuincludes\class-spam.php:91
filtergform_field_validationincludes\class-spam.php:97
filtergform_entry_is_spamincludes\class-spam.php:101
filtergform_field_validationincludes\class-spam.php:106
filtergform_field_validationincludes\class-validations.php:19
actionupdate_option_users_can_registerincludes\class-wp-login.php:53
filterregister_urlincludes\class-wp-login.php:55
filterlogin_urlincludes\class-wp-login.php:60
filterlogout_redirectincludes\class-wp-login.php:61
actionlogin_initincludes\class-wp-login.php:65
Maintenance & Trust

Advanced Tools for Gravity Forms Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 21, 2026
PHP min version7.4
Downloads2K

Community Trust

Rating100/100
Number of ratings1
Active installs30
Alternatives

Advanced Tools for Gravity Forms Alternatives

DocumentCloud

DocumentCloud

documentcloud

A
100

Embed DocumentCloud resources in WordPress content.

1K No CVEs
Zeno Report Comments

Zeno Report Comments

zeno-report-comments

A
100

This plugin gives your visitors the possibility to report a comment as inappropriate. After a set threshold the comment is put into moderation.

200 No CVEs
Stop Search Spam

Stop Search Spam

stop-search-spam

A
92

The plugin blocks internal site search spam (what lowers your site's ranking in the Google).

60 No CVEs
Form Submission Email Reports

Form Submission Email Reports

form-submission-reports

A
100

A lightweight plugin that retrieves form submission data from popular form plugins and emails scheduled reports (daily, weekly, and monthly).

50 No CVEs
AJAX Report Comments

AJAX Report Comments

report-comments

A
85

AJAX Report Comments is a simple yet powerful add-on for any Wordpress blog, particularly larger blogs with a higher volume of user comments.

20 No CVEs
Developer Profile

Advanced Tools for Gravity Forms Developer Profile

PluginRx

12 plugins · 2K total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
10 days
View full developer profile
Detection Fingerprints

How We Detect Advanced Tools for Gravity Forms

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/gf-tools/assets/css/gf-tools-style.css/wp-content/plugins/gf-tools/assets/js/gf-tools-scripts.js
Script Paths
/wp-content/plugins/gf-tools/assets/js/gf-tools-scripts.js
Version Parameters
gf-tools/assets/css/gf-tools-style.css?ver=gf-tools/assets/js/gf-tools-scripts.js?ver=

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about Advanced Tools for Gravity Forms