Does Gravity Forms Zero Spam have any unpatched vulnerabilities?

No. All known vulnerabilities in Gravity Forms Zero Spam have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Gravity Forms Zero Spam compatible with WordPress 6.9.4?

According to WordPress.org data, Gravity Forms Zero Spam 1.7.2 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Gravity Forms Zero Spam compatible with PHP 7.4+?

Gravity Forms Zero Spam requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Gravity Forms Zero Spam updated?

Gravity Forms Zero Spam was last updated on Mar 12, 2026. Frequent updates are generally a positive security signal.

What is Gravity Forms Zero Spam's security score?

Gravity Forms Zero Spam has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Gravity Forms Zero Spam Security & Risk Analysis

wordpress.org/plugins/gravity-forms-zero-spam

Enhance your Gravity Forms to include anti-spam measures originally based on the work of David Walsh's "Zero Spam" technique.

100K active installs v1.7.2 PHP 7.4+ WP 4.7+ Updated Mar 12, 2026

anti-spamcaptchagravity-formshoneypotspam

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Gravity Forms Zero Spam Safe to Use in 2026?

Generally Safe

Score 100/100

Gravity Forms Zero Spam has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 22d ago

Risk Assessment

The "gravity-forms-zero-spam" plugin version 1.7.2 demonstrates a mixed security posture. On the positive side, it shows strong practices in data handling with all SQL queries using prepared statements and all output being properly escaped. Furthermore, the absence of file operations, external HTTP requests, and bundled libraries is commendable. The plugin also has no recorded vulnerability history, suggesting a generally stable development process.

However, a significant concern arises from the presence of two AJAX handlers that lack authentication checks. This exposes a direct attack surface without proper authorization, potentially allowing unauthenticated users to trigger plugin functionality. The absence of nonce checks on these AJAX handlers exacerbates this risk, making them vulnerable to Cross-Site Request Forgery (CSRF) attacks. While taint analysis and vulnerability history show no immediate threats, the unprotected AJAX endpoints represent a notable weakness that could be exploited if malicious input is processed or actions are performed without validation.

In conclusion, while the plugin excels in core secure coding practices like prepared statements and output escaping, the unprotected AJAX endpoints are a critical oversight. The lack of any documented vulnerabilities is a good sign, but it does not negate the inherent risk posed by these open attack vectors. Developers should prioritize adding authentication and nonce checks to these handlers to bolster the plugin's security.

Key Concerns

AJAX handlers without authentication
Missing nonce checks on AJAX

Vulnerabilities

None known

Gravity Forms Zero Spam Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Gravity Forms Zero Spam Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

9 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared2 total queries

Output Escaping

100% escaped9 total outputs

Attack Surface

2 unprotected

Gravity Forms Zero Spam Attack Surface

Entry Points2

Unprotected2

AJAX Handlers 2

authwp_ajax_gf_zero_spam_tokenincludes\class-gf-zero-spam-token-endpoint.php:39

noprivwp_ajax_gf_zero_spam_tokenincludes\class-gf-zero-spam-token-endpoint.php:40

WordPress Hooks 26

actiongform_loadedgravityforms-zero-spam.php:30

actiongform_field_advanced_settingsincludes\class-email-rejection-field-settings.php:23

actionadmin_enqueue_scriptsincludes\class-email-rejection-field-settings.php:24

actionadmin_enqueue_scriptsincludes\class-email-rejection-settings.php:43

filtergform_email_field_rejectable_valuesincludes\class-email-rejection.php:96

filtergform_field_validationincludes\class-email-rejection.php:97

filtergform_validationincludes\class-email-rejection.php:101

filtergform_entry_is_spamincludes\class-email-rejection.php:102

actiongform_after_submissionincludes\class-email-rejection.php:103

filtergform_form_settings_fieldsincludes\class-gf-zero-spam-addon.php:106

filtergform_tooltipsincludes\class-gf-zero-spam-addon.php:107

filtergf_zero_spam_check_key_fieldincludes\class-gf-zero-spam-addon.php:111

filtergf_zero_spam_add_key_fieldincludes\class-gf-zero-spam-addon.php:113

filtercron_schedulesincludes\class-gf-zero-spam-addon.php:115

actiongform_after_submissionincludes\class-gf-zero-spam-addon.php:117

actiongform_update_statusincludes\class-gf-zero-spam-addon.php:118

actionrest_api_initincludes\class-gf-zero-spam-token-endpoint.php:38

actiongform_register_init_scriptsincludes\class-gf-zero-spam.php:58

filtergform_get_form_filterincludes\class-gf-zero-spam.php:59

filtergform_entry_is_spamincludes\class-gf-zero-spam.php:60

filtergform_incomplete_submission_pre_saveincludes\class-gf-zero-spam.php:61

filtergform_abort_submission_with_confirmationincludes\class-gf-zero-spam.php:62

actionadmin_noticesincludes\class-gf-zero-spam.php:63

actionadmin_initincludes\class-gf-zero-spam.php:64

actiongform_entry_createdincludes\class-gf-zero-spam.php:354

actiongform_entry_createdincludes\class-gf-zero-spam.php:383

Maintenance & Trust

Gravity Forms Zero Spam Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 12, 2026

PHP min version7.4

Downloads1.0M

Community Trust

Rating86/100

Number of ratings23

Active installs100K

Alternatives

Gravity Forms Zero Spam Alternatives

CF7 Apps – Honeypot, Database, Redirection, Webhook, and Addons for Contact Form 7

contact-form-7-honeypot

100

Addons for Contact Form 7 — Honeypot, Database Entries, Redirection, Spam Protection, Webhooks, ACF integration for Contact Form 7, and more.

300K No CVEs

Send Denial

send-denial-anti-spam

Anti-Spam protection for the most popular and widly used formbuilders and plugins. GDPR compliant.

300 No CVEs

reCaptcha by BestWebSoft

google-captcha

Protect WordPress website forms from spam entries with Google reCAPTCHA.

100K 3 CVEs

Blackhole for Bad Bots

blackhole-bad-bots

Blackhole is a WordPress security plugin that detects and traps bad bots in a virtual black hole, where they are denied access to your entire site.

30K 1 CVE

Maspik – Ultimate Spam Protection

contact-forms-anti-spam

No more fake leads or unwanted submissions — Maspik blocks spam instantly across all forms without using CAPTCHA.

30K 8 CVEs

Developer Profile

Gravity Forms Zero Spam Developer Profile

GravityKit

3 plugins · 111K total installs

trust score

Avg Security Score

97/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Gravity Forms Zero Spam

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/gravity-forms-zero-spam/dist/js/gf-zero-spam-admin.js/wp-content/plugins/gravity-forms-zero-spam/dist/css/gf-zero-spam.css

Version Parameters

gf-zero-spam-admin.js?ver=gf-zero-spam.css?ver=

HTML / DOM Fingerprints

CSS Classes

email_rejection_settinggf-zero-spam-field-rule-builder

HTML Comments

+28 more

Data Attributes

style="display: none;"

JS Globals

gfZeroSpamEmailRules_field

FAQ