WP-Safety

Gravity PDF Security & Risk Analysis

wordpress.org/plugins/gravity-forms-pdf-extended

Automatically generate, email and download PDF documents from Gravity Forms entries

20K active installs v6.12.6.3 PHP 7.3+ WP 5.3+ Updated Jul 23, 2025
contact-formemailformgravity-formspdf
100
A · Safe
CVEs total1
Unpatched0
Last CVEJun 14, 2022
Plugin page Download
Safety Verdict

Is Gravity PDF Safe to Use in 2026?

Generally Safe

Score 100/100

Gravity PDF has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Jun 14, 2022Updated 9mo ago
Risk Assessment

The plugin "gravity-forms-pdf-extended" v6.12.6.3 exhibits a mixed security posture. While it demonstrates strong practices in SQL query handling with 100% prepared statements and a high percentage of properly escaped output (95%), significant concerns arise from its attack surface. A total of 10 entry points were identified, with a concerning 9 of these lacking authentication checks. This wide, unprotected attack surface represents a substantial risk, as it could allow unauthenticated users to trigger unintended functionality within the plugin.

Taint analysis revealed one flow with an unsanitized path, although it was not classified as critical or high severity. This warrants attention as it indicates a potential avenue for code injection or other vulnerabilities if not properly handled. The vulnerability history shows one previously disclosed medium-severity CVE related to Cross-Site Scripting (XSS). While currently unpatched CVEs are zero, the past XSS vulnerability, coupled with a significant number of unprotected AJAX handlers, suggests a potential for similar issues to re-emerge if input validation and output escaping are not consistently applied across all entry points.

Overall, the plugin has strengths in its data handling (SQL, output escaping) but significant weaknesses in access control for its AJAX endpoints. The presence of unsanitized paths and past XSS vulnerabilities necessitate vigilance. A balanced conclusion would be that while the plugin performs well in some core security areas, the extensive unprotected attack surface and potential for input-related vulnerabilities present a moderate to high risk that should be addressed through robust authentication and authorization mechanisms on its AJAX handlers.

Key Concerns

  • Unprotected AJAX handlers
  • Flow with unsanitized path
  • Bundled library (TCPDF)
Vulnerabilities
1 published

Gravity PDF Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

WF-b489427e-f925-4058-8924-7a9557fc4ebf-gravity-forms-pdf-extendedmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Gravity PDF <= 6.3.0 - Reflected Cross-Site Scripting

Jun 14, 2022 Patched in 6.3.1 (588d)
Version History

Gravity PDF Release Timeline

v6.12.6.3Current
v6.12.6.2
Code Analysis
Analyzed Mar 16, 2026

Gravity PDF Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
3 prepared
Unescaped Output
47
892 escaped
Nonce Checks
4
Capability Checks
3
File Operations
27
External Requests
5
Bundled Libraries
1

Bundled Libraries

TCPDF

SQL Query Safety

100% prepared3 total queries

Output Escaping

95% escaped939 total outputs
Data Flows · Security
1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths
<Helper_Abstract_Options> (src\Helper\Helper_Abstract_Options.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
9 unprotected

Gravity PDF Attack Surface

Entry Points10
Unprotected9

AJAX Handlers 9

authwp_ajax_gfpdf_list_deletesrc\Controller\Controller_Form_Settings.php:136
authwp_ajax_gfpdf_list_duplicatesrc\Controller\Controller_Form_Settings.php:137
authwp_ajax_gfpdf_change_statesrc\Controller\Controller_Form_Settings.php:138
authwp_ajax_gfpdf_get_template_fieldssrc\Controller\Controller_Form_Settings.php:139
authwp_ajax_gfpdf_save_core_fontsrc\Controller\Controller_Save_Core_Fonts.php:103
authwp_ajax_gfpdf_deactivate_licensesrc\Controller\Controller_Settings.php:172
authwp_ajax_gfpdf_upload_templatesrc\Controller\Controller_Templates.php:59
authwp_ajax_gfpdf_delete_templatesrc\Controller\Controller_Templates.php:60
authwp_ajax_gfpdf_get_template_optionssrc\Controller\Controller_Templates.php:61

Shortcodes 1

[gravitypdf] src\Controller\Controller_Shortcodes.php:98
WordPress Hooks 149
filtergfpdf_override_pdf_bypassapi.php:484
actionplugins_loadedpdf.php:141
actionadmin_initpdf.php:156
actionafter_plugin_rowpdf.php:157
actionadmin_noticespdf.php:180
actioninitsrc\bootstrap.php:268
actionadmin_enqueue_scriptssrc\bootstrap.php:269
actioninitsrc\bootstrap.php:272
actionadmin_initsrc\bootstrap.php:273
filtergform_noconflict_scriptssrc\bootstrap.php:286
filtergform_noconflict_stylessrc\bootstrap.php:287
filterplugin_row_metasrc\bootstrap.php:291
filteradmin_body_classsrc\bootstrap.php:294
filtertiny_mce_before_initsrc\bootstrap.php:442
filtergfpdf_settings_sanitizesrc\bootstrap.php:971
actionafter_setup_themesrc\bootstrap.php:1035
actionadmin_initsrc\Controller\Controller_Actions.php:109
actionadmin_initsrc\Controller\Controller_Actions.php:110
actionrest_api_initsrc\Controller\Controller_Custom_Fonts.php:96
actionupdate_option_gfpdf_settingssrc\Controller\Controller_Debug.php:92
filtergfpdf_mpdf_classsrc\Controller\Controller_Debug.php:99
filtergform_export_fieldssrc\Controller\Controller_Export_Entries.php:27
filtergform_export_field_valuesrc\Controller\Controller_Export_Entries.php:28
actionadmin_initsrc\Controller\Controller_Form_Settings.php:129
actiongform_form_settings_menusrc\Controller\Controller_Form_Settings.php:132
filtergfpdf_form_settings_custom_appearancesrc\Controller\Controller_Form_Settings.php:152
filtergfpdf_form_settingssrc\Controller\Controller_Form_Settings.php:153
filtergfpdf_form_settingssrc\Controller\Controller_Form_Settings.php:156
filtergfpdf_form_settings_appearancesrc\Controller\Controller_Form_Settings.php:157
filtergfpdf_form_settings_sanitizesrc\Controller\Controller_Form_Settings.php:160
filtergfpdf_form_settings_sanitize_textsrc\Controller\Controller_Form_Settings.php:161
filtergfpdf_form_settings_sanitize_textsrc\Controller\Controller_Form_Settings.php:162
filtergfpdf_form_settings_sanitize_textareasrc\Controller\Controller_Form_Settings.php:163
filtergfpdf_form_settings_sanitize_numbersrc\Controller\Controller_Form_Settings.php:164
filtergfpdf_form_settings_sanitize_paper_sizesrc\Controller\Controller_Form_Settings.php:165
filtergfpdf_form_settings_sanitize_hiddensrc\Controller\Controller_Form_Settings.php:166
filtergfpdf_skip_highlight_errorssrc\Controller\Controller_Form_Settings.php:168
filtertiny_mce_before_initsrc\Controller\Controller_Form_Settings.php:171
filtergform_form_update_metasrc\Controller\Controller_Form_Settings.php:174
filtergform_rule_source_valuesrc\Controller\Controller_Form_Settings.php:177
filtergform_is_value_matchsrc\Controller\Controller_Form_Settings.php:178
actionwp_loadedsrc\Controller\Controller_Install.php:131
actioninitsrc\Controller\Controller_Install.php:134
filterquery_varssrc\Controller\Controller_Install.php:146
filtergform_replace_merge_tagssrc\Controller\Controller_Mergetags.php:62
filtergform_custom_merge_tagssrc\Controller\Controller_Mergetags.php:63
filtergform_field_map_choicessrc\Controller\Controller_Mergetags.php:65
filtergform_addon_field_valuesrc\Controller\Controller_Mergetags.php:66
filtergform_mailchimp_field_valuesrc\Controller\Controller_Mergetags.php:67
filtergpgs_row_valuesrc\Controller\Controller_Mergetags.php:68
actionparse_requestsrc\Controller\Controller_PDF.php:120
actionparse_requestsrc\Controller\Controller_PDF.php:121
actiongfpdf_pre_pdf_generationsrc\Controller\Controller_PDF.php:124
actiongfpdf_post_pdf_generationsrc\Controller\Controller_PDF.php:125
actiongform_entries_first_column_actionssrc\Controller\Controller_PDF.php:128
actiongravityflow_workflow_detail_sidebarsrc\Controller\Controller_PDF.php:129
actiongform_after_submissionsrc\Controller\Controller_PDF.php:132
actiongfpdf_post_pdf_generationsrc\Controller\Controller_PDF.php:133
actiongform_after_submissionsrc\Controller\Controller_PDF.php:146
actiongform_after_update_entrysrc\Controller\Controller_PDF.php:147
actiongfpdf_cleanup_tmp_dirsrc\Controller\Controller_PDF.php:148
actiongfpdf_pre_pdf_generationsrc\Controller\Controller_PDF.php:152
actiongfpdf_pre_pdf_generation_outputsrc\Controller\Controller_PDF.php:153
filtergfpdf_current_form_objectsrc\Controller\Controller_PDF.php:156
filtergfpdf_mpdf_class_configsrc\Controller\Controller_PDF.php:169
filtermpdf_font_datasrc\Controller\Controller_PDF.php:170
actiongfpdf_core_templatesrc\Controller\Controller_PDF.php:171
filtergfpdf_pdf_middlewaresrc\Controller\Controller_PDF.php:184
filtergfpdf_pdf_middlewaresrc\Controller\Controller_PDF.php:185
filtergfpdf_pdf_middlewaresrc\Controller\Controller_PDF.php:186
filtergfpdf_pdf_middlewaresrc\Controller\Controller_PDF.php:187
filtergfpdf_pdf_middlewaresrc\Controller\Controller_PDF.php:188
filtergfpdf_pdf_middlewaresrc\Controller\Controller_PDF.php:189
filtergfpdf_pdf_middlewaresrc\Controller\Controller_PDF.php:190
filtergfpdf_pdf_middlewaresrc\Controller\Controller_PDF.php:191
filtergfpdf_field_middlewaresrc\Controller\Controller_PDF.php:194
filtergfpdf_field_middlewaresrc\Controller\Controller_PDF.php:195
filtergfpdf_field_middlewaresrc\Controller\Controller_PDF.php:196
filtergfpdf_field_middlewaresrc\Controller\Controller_PDF.php:197
filtergfpdf_field_middlewaresrc\Controller\Controller_PDF.php:198
filtergfpdf_field_middlewaresrc\Controller\Controller_PDF.php:199
filtergform_notificationsrc\Controller\Controller_PDF.php:202
filtermpdf_font_datasrc\Controller\Controller_PDF.php:213
filtermpdf_font_datasrc\Controller\Controller_PDF.php:214
filtergfpdf_mpdf_init_classsrc\Controller\Controller_PDF.php:215
filtergfpdf_pdf_html_outputsrc\Controller\Controller_PDF.php:218
filtergfpdf_pdf_html_outputsrc\Controller\Controller_PDF.php:219
filtergfpdf_pdf_core_template_html_outputsrc\Controller\Controller_PDF.php:221
filtergfpdfe_pre_load_templatesrc\Controller\Controller_PDF.php:224
filtergfpdf_template_argssrc\Controller\Controller_PDF.php:227
filtergfpdf_pdf_html_outputsrc\Controller\Controller_PDF.php:228
filtergform_before_resend_notificationssrc\Controller\Controller_PDF.php:231
filtergfpdf_pre_view_or_download_pdfsrc\Controller\Controller_PDF.php:234
filtergfpdf_legacy_pre_view_or_download_pdfsrc\Controller\Controller_PDF.php:235
filtergfpdf_pre_pdf_generation_outputsrc\Controller\Controller_PDF.php:236
filterweglot_active_translationsrc\Controller\Controller_PDF.php:239
filtergform_entry_detail_meta_boxessrc\Controller\Controller_PDF.php:244
filtergfpdf_current_form_objectsrc\Controller\Controller_PDF.php:247
filterwp_kses_allowed_htmlsrc\Controller\Controller_PDF.php:349
filtersafe_style_csssrc\Controller\Controller_PDF.php:350
filtergform_disable_notificationsrc\Controller\Controller_Pdf_Queue.php:88
actiongform_after_submissionsrc\Controller\Controller_Pdf_Queue.php:89
filtergform_disable_resend_notificationsrc\Controller\Controller_Pdf_Queue.php:91
actiongform_post_resend_all_notificationssrc\Controller\Controller_Pdf_Queue.php:92
actiongfpdf_settings_sub_menusrc\Controller\Controller_Settings.php:154
actiongfpdf_post_tools_settings_pagesrc\Controller\Controller_Settings.php:166
filtergform_tooltipssrc\Controller\Controller_Settings.php:185
filtergfpdf_registered_fieldssrc\Controller\Controller_Settings.php:189
filtergfpdf_localised_script_arraysrc\Controller\Controller_Settings.php:190
filtergfpdf_capability_namesrc\Controller\Controller_Settings.php:194
filteroption_page_capability_gfpdf_settingssrc\Controller\Controller_Settings.php:197
filtergravitypdf_settings_navigationsrc\Controller\Controller_Settings.php:198
filtergfpdf_settings_licensessrc\Controller\Controller_Settings.php:201
filtergfpdf_settings_license_sanitizesrc\Controller\Controller_Settings.php:202
filtergform_admin_pre_rendersrc\Controller\Controller_Shortcodes.php:81
filtergform_confirmationsrc\Controller\Controller_Shortcodes.php:82
filtergform_pre_replace_merge_tagssrc\Controller\Controller_Shortcodes.php:83
filtergravityview/fields/custom/content_beforesrc\Controller\Controller_Shortcodes.php:86
filtergform_system_reportsrc\Controller\Controller_System_Report.php:64
actiongfpdf_version_changedsrc\Controller\Controller_Upgrade_Routines.php:46
filtergform_webhooks_request_datasrc\Controller\Controller_Webhooks.php:27
filtergform_zapier_request_bodysrc\Controller\Controller_Zapier.php:27
filtergfpdf_field_html_valuesrc\deprecated.php:400
filtergfpdf_field_classsrc\deprecated.php:401
actioninitsrc\Helper\Helper_Abstract_Addon.php:270
filtergfpdf_settings_extensionssrc\Helper\Helper_Abstract_Addon.php:281
actionadmin_initsrc\Helper\Helper_Abstract_Addon.php:287
filterplugin_row_metasrc\Helper\Helper_Abstract_Addon.php:300
filtergfpdf_settings_sanitizesrc\Helper\Helper_Abstract_Options.php:165
filtergfpdf_settings_sanitizesrc\Helper\Helper_Abstract_Options.php:166
filtergfpdf_settings_sanitize_textsrc\Helper\Helper_Abstract_Options.php:168
filtergfpdf_settings_sanitize_textareasrc\Helper\Helper_Abstract_Options.php:169
filtergfpdf_settings_sanitize_numbersrc\Helper\Helper_Abstract_Options.php:170
filtergfpdf_settings_sanitize_paper_sizesrc\Helper\Helper_Abstract_Options.php:171
filtersanitize_option_gfpdf_settingssrc\Helper\Helper_Abstract_Options.php:750
filtergform_logging_supportedsrc\Helper\Helper_Logger.php:79
filtergform_form_post_get_metasrc\Helper\Helper_Misc.php:727
filterwp_kses_allowed_htmlsrc\Helper\Helper_Notices.php:188
filtergfpdf_form_settings_advancedsrc\Helper\Helper_Options_Fields.php:33
filtergfpdf_form_settings_advancedsrc\Helper\Helper_Options_Fields.php:34
filtergform_is_encrypted_fieldsrc\Helper\Helper_Templates.php:723
filtergfpdf_form_settings_custom_appearancesrc\Model\Model_Form_Settings.php:982
filtergppa_allow_all_lmtssrc\Model\Model_PDF.php:2436
filtergform_pre_replace_merge_tagssrc\Model\Model_PDF.php:2447
filterfilesystem_methodsrc\Model\Model_Templates.php:445
filtersafe_style_csssrc\Statics\Kses.php:45
filtergfpdf_override_pdf_bypasssrc\Statics\Queue_Callbacks.php:45
filtergform_tooltipssrc\View\View_GravityForm_Settings_Markup.php:172
filterwpel_apply_settingssrc\View\View_PDF.php:258

Scheduled Events 1

gfpdf_cleanup_tmp_dir
Maintenance & Trust

Gravity PDF Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJul 23, 2025
PHP min version7.3
Downloads2.1M

Community Trust

Rating98/100
Number of ratings317
Active installs20K
Alternatives

Gravity PDF Alternatives

Generate PDF using Contact Form 7

Generate PDF using Contact Form 7

generate-pdf-using-contact-form-7

A
95

Generate PDF using Contact Form 7 Plugin makes it simple to create PDFs for downloads, viewing, or sending as attachments after form submissions.

4K 4 CVEs
PDF Forms Filler for CF7

PDF Forms Filler for CF7

pdf-forms-for-contact-form-7

A
100

Build Contact Form 7 forms from PDF forms. Get PDFs auto-filled and attached to email messages and/or website responses on form submission.

3K No CVEs
PDF for Gravity Forms + Drag And Drop Template Builder

PDF for Gravity Forms + Drag And Drop Template Builder

pdf-for-gravity-forms

A
98

The plugin helps you create PDF for Gravity Forms you can builder template pdf

400 1 CVE
PDF Invoices for Gravity Forms

PDF Invoices for Gravity Forms

pdf-invoices-for-gravity-forms

A
92

Automatically generate PDF invoices and attach them to every form submission in Gravity Forms.

60 No CVEs
Email Customizer for Gravity Forms

Email Customizer for Gravity Forms

email-customizer-for-gravity-forms

A
100

Allows customizing the email design from Gravity Forms with layouts, colors, images, and logos to match your brand's style.

40 No CVEs
Developer Profile

Gravity PDF Developer Profile

Jake Jackson

1 plugin · 20K total installs

79
trust score
Avg Security Score
100/100
Avg Patch Time
588 days
View full developer profile
Detection Fingerprints

How We Detect Gravity PDF

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/gravity-forms-pdf-extended/src/assets/css/gravitypdf.css/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/gravitypdf.js/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/editor.js/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/form-editor.js/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/admin.js/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/admin-menu.js/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/template-editor.js/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/template-editor-view.js+16 more
Script Paths
/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/gravitypdf.js/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/editor.js/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/form-editor.js/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/admin.js/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/admin-menu.js/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/template-editor.js+17 more
Version Parameters
/wp-content/plugins/gravity-forms-pdf-extended/src/assets/css/gravitypdf.css?ver=/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/gravitypdf.js?ver=/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/editor.js?ver=/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/form-editor.js?ver=/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/admin.js?ver=/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/admin-menu.js?ver=/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/template-editor.js?ver=/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/template-editor-view.js?ver=/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/template-editor-templates.js?ver=/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/template-editor-render.js?ver=/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/template-editor-fields.js?ver=/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/form-editor-fields.js?ver=/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/form-editor-settings.js?ver=/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/form-editor-templates.js?ver=/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/form-editor-render.js?ver=/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/form-editor-view.js?ver=/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/pdf-collections.js?ver=/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/pdf-collections-view.js?ver=/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/pdf-collections-editor.js?ver=/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/pdf-collections-settings.js?ver=/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/pdf-collections-templates.js?ver=/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/pdf-collections-render.js?ver=/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/pdf-collections-fields.js?ver=/wp-content/plugins/gravity-forms-pdf-extended/src/assets/js/import-export.js?ver=

HTML / DOM Fingerprints

CSS Classes
gpdf-template-editorgpdf-template-editor-controlsgpdf-template-editor-canvasgpdf-form-editorgpdf-form-editor-controlsgpdf-form-editor-canvasgpdf-pdf-collectionsgpdf-pdf-collections-controls+13 more
HTML Comments
<!-- Gravity PDF --><!-- Powered by Gravity PDF --><!-- Gravity PDF Template Editor --><!-- Gravity PDF Form Editor -->+2 more
Data Attributes
data-gpdf-template-iddata-gpdf-form-iddata-gpdf-collection-iddata-gpdf-template-slugdata-gpdf-form-slugdata-gpdf-collection-slug
JS Globals
gravitypdfgpdf_editorgpdf_form_editorgpdf_pdf_collectionsgpdf_import_exportGravityPDF+1 more
REST Endpoints
/wp-json/gravitypdf/v1/templates/wp-json/gravitypdf/v1/forms/wp-json/gravitypdf/v1/collections
Shortcode Output
[gravitypdf][gravitypdf_template][gravitypdf_form][gravitypdf_collection]
FAQ

Frequently Asked Questions about Gravity PDF