WP-Safety

Hash Form – Drag & Drop Form Builder Security & Risk Analysis

wordpress.org/plugins/hash-form

Create any kind of forms effortlessly with Hash Form – the ultimate drag & drop form builder plugin for WordPress.

4K active installs v1.3.8 PHP 7.2+ WP 6.3+ Updated Dec 7, 2025
contact-formdrag-and-dropformform-builder
90
A · Safe
CVEs total5
Unpatched0
Last CVEMay 7, 2025
Download
Safety Verdict

Is Hash Form – Drag & Drop Form Builder Safe to Use in 2026?

Generally Safe

Score 90/100

Hash Form – Drag & Drop Form Builder has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: May 7, 2025Updated 3mo ago
Risk Assessment

The "hash-form" plugin version 1.3.8 exhibits a mixed security posture. While it demonstrates strong practices in areas like SQL prepared statements and output escaping, with 97% and 98% respectively, several concerning aspects remain. The presence of 4 AJAX handlers without authentication checks presents a significant attack surface, potentially allowing unauthorized users to trigger critical functionalities. Furthermore, the static analysis identified the use of dangerous functions like `unserialize`, which can be a vector for deserialization vulnerabilities if not handled with extreme care and sanitization.

The plugin's vulnerability history is a notable concern, with a total of 5 known CVEs, including one critical, one high, and three medium severity vulnerabilities. The recurring types of vulnerabilities such as CSRF, Missing Authorization, Unrestricted Upload, and Deserialization of Untrusted Data suggest a pattern of underlying weaknesses in how user inputs and sensitive operations are handled. The fact that there are no currently unpatched vulnerabilities is positive, but the historical prevalence of severe issues warrants caution and diligent monitoring.

In conclusion, "hash-form" v1.3.8 has strengths in its implementation of secure coding practices like prepared statements and output escaping. However, the unprotected AJAX endpoints, the use of `unserialize`, and a history of significant vulnerabilities, particularly those related to authorization and input validation, introduce substantial risks. Users should be aware of these potential weaknesses and ensure the plugin is kept up-to-date with any security patches. The plugin's historical vulnerability trend suggests a need for developers to rigorously address input validation and authorization mechanisms in future updates.

Key Concerns

  • Unprotected AJAX handlers
  • Use of dangerous unserialize function
  • History of critical CVEs
  • History of high severity CVEs
  • History of medium severity CVEs
  • Vulnerability types: Missing Authorization
  • Vulnerability types: Deserialization of Untrusted Data
Vulnerabilities
5

Hash Form – Drag & Drop Form Builder Security Vulnerabilities

CVEs by Year

4 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
High
1
Medium
3

5 total CVEs

CVE-2025-47468medium · 4.3Cross-Site Request Forgery (CSRF)

Hash Form <= 1.2.8 - Cross-Site Request Forgery

May 7, 2025 Patched in 1.2.9 (6d)
CVE-2024-12201medium · 4.3Missing Authorization

Hash Form <= 1.2.1 - Missing Authorization to Authenticated (Contributor+) Form Style Creation

Dec 11, 2024 Patched in 1.2.2 (1d)
CVE-2024-9417medium · 6.1Unrestricted Upload of File with Dangerous Type

Hash Form - Drag & Drop Form Builder <= 1.1.9 - Unauthenticated Limited File Upload

Oct 4, 2024 Patched in 1.2.0 (1d)
CVE-2024-5085high · 8.1Deserialization of Untrusted Data

Hash Form – Drag & Drop Form Builder <= 1.1.0 - Unauthenticated PHP Object Injection

May 22, 2024 Patched in 1.1.1 (2d)
CVE-2024-5084critical · 9.8Unrestricted Upload of File with Dangerous Type

Hash Form – Drag & Drop Form Builder <= 1.1.0 - Unauthenticated Arbitrary File Upload to Remote Code Execution

May 22, 2024 Patched in 1.1.1 (2d)
Code Analysis
Analyzed Mar 16, 2026

Hash Form – Drag & Drop Form Builder Code Analysis

Dangerous Functions
3
Raw SQL Queries
2
74 prepared
Unescaped Output
34
1407 escaped
Nonce Checks
28
Capability Checks
15
File Operations
14
External Requests
1
Bundled Libraries
1

Dangerous Functions Found

unserialize$form_styles = $form->styles ? unserialize($form->styles) : [];admin\classes\HashFormImportExport.php:34
unserialize$exdat['options'] = $form->options ? unserialize($form->options) : [];admin\classes\HashFormImportExport.php:36
unserialize$exdat['settings'] = $form->settings ? unserialize($form->settings) : [];admin\classes\HashFormImportExport.php:38

Bundled Libraries

Select2

SQL Query Safety

97% prepared76 total queries

Output Escaping

98% escaped1441 total outputs
Data Flows
All sanitized

Data Flow Analysis

3 flows
process_settings_import (admin\classes\HashFormImportExport.php:110)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

Hash Form – Drag & Drop Form Builder Attack Surface

Entry Points23
Unprotected4

AJAX Handlers 22

authwp_ajax_hashform_update_formadmin\classes\HashFormBuilder.php:13
authwp_ajax_hashform_create_formadmin\classes\HashFormBuilder.php:14
authwp_ajax_hashform_save_form_settingsadmin\classes\HashFormBuilder.php:15
authwp_ajax_hashform_save_form_styleadmin\classes\HashFormBuilder.php:16
authwp_ajax_hashform_form_previewadmin\classes\HashFormBuilder.php:17
authwp_ajax_hashform_add_more_condition_blockadmin\classes\HashFormBuilder.php:18
authwp_ajax_hashform_file_upload_actionadmin\classes\HashFormBuilder.php:23
noprivwp_ajax_hashform_file_upload_actionadmin\classes\HashFormBuilder.php:24
authwp_ajax_hashform_file_delete_actionadmin\classes\HashFormBuilder.php:26
noprivwp_ajax_hashform_file_delete_actionadmin\classes\HashFormBuilder.php:27
authwp_ajax_hashform_process_entryadmin\classes\HashFormEntry.php:10
noprivwp_ajax_hashform_process_entryadmin\classes\HashFormEntry.php:11
authwp_ajax_hashform_insert_fieldadmin\classes\HashFormFields.php:9
authwp_ajax_hashform_delete_fieldadmin\classes\HashFormFields.php:10
authwp_ajax_hashform_import_optionsadmin\classes\HashFormFields.php:11
authwp_ajax_hashform_previewadmin\classes\HashFormPreview.php:7
noprivwp_ajax_hashform_previewadmin\classes\HashFormPreview.php:8
authwp_ajax_hashform_test_email_templateadmin\classes\HashFormSettings.php:9
authwp_ajax_hashform_activate_pluginadmin\classes\HashFormSmtp.php:8
authwp_ajax_hashform_save_style_templateadmin\classes\HashFormStyles.php:9
authwp_ajax_hashform_get_google_font_variantsadmin\classes\HashFormStyles.php:10
authwp_ajax_hashform_template_style_previewadmin\classes\HashFormStyles.php:12

Shortcodes 1

[hashform] admin\classes\HashFormShortcode.php:8
WordPress Hooks 42
actioninitadmin\classes\HashFormBlock.php:10
actionenqueue_block_editor_assetsadmin\classes\HashFormBlock.php:11
actionplugins_loadedadmin\classes\HashFormBlock.php:14
actionenqueue_block_editor_assetsadmin\classes\HashFormBlock.php:15
filterhashform_form_classesadmin\classes\HashFormBlock.php:421
filterhashform_enable_styleadmin\classes\HashFormBlock.php:422
actionwp_footeradmin\classes\HashFormBlock.php:424
actionadmin_menuadmin\classes\HashFormBuilder.php:10
filterset-screen-optionadmin\classes\HashFormBuilder.php:11
actionadmin_footeradmin\classes\HashFormBuilder.php:19
actionwp_loadedadmin\classes\HashFormBuilder.php:29
actioninitadmin\classes\HashFormBuilder.php:31
filterhashform_translate_stringadmin\classes\HashFormBuilder.php:32
actionadmin_noticesadmin\classes\HashFormBuilder.php:905
filterhashform_form_classesadmin\classes\HashFormElement.php:1022
filterhashform_enable_styleadmin\classes\HashFormElement.php:1023
actionadmin_menuadmin\classes\HashFormEntry.php:7
filterset-screen-optionadmin\classes\HashFormEntry.php:8
actionadmin_initadmin\classes\HashFormImportExport.php:9
actionadmin_initadmin\classes\HashFormImportExport.php:11
actionadmin_initadmin\classes\HashFormImportExport.php:13
actionadmin_initadmin\classes\HashFormImportExport.php:15
actioninitadmin\classes\HashFormLoader.php:8
filteradmin_body_classadmin\classes\HashFormLoader.php:9
actionadmin_enqueue_scriptsadmin\classes\HashFormLoader.php:10
actionwp_enqueue_scriptsadmin\classes\HashFormLoader.php:11
actionwp_enqueue_scriptsadmin\classes\HashFormLoader.php:12
actionelementor/editor/after_enqueue_stylesadmin\classes\HashFormLoader.php:13
actionadmin_menuadmin\classes\HashFormSettings.php:7
actionadmin_menuadmin\classes\HashFormSmtp.php:7
actionadmin_initadmin\classes\HashFormSmtp.php:9
actioninitadmin\classes\HashFormStyles.php:7
actionadd_meta_boxesadmin\classes\HashFormStyles.php:8
actionadmin_menuadmin\classes\HashFormStyles.php:11
actionadmin_initadmin\classes\HashFormStyles.php:13
actionadmin_enqueue_scriptsadmin\classes\HashFormStyles.php:14
actionadmin_footeradmin\classes\HashFormStyles.php:15
filterpost_row_actionsadmin\classes\HashFormStyles.php:16
filterhashform_form_classesadmin\classes\HashFormStyles.php:1204
actionelementor/widgets/registerhash-form.php:49
actionwp_insert_sitehash-form.php:82
filterwpmu_drop_tableshash-form.php:96
Maintenance & Trust

Hash Form – Drag & Drop Form Builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 7, 2025
PHP min version7.2
Downloads66K

Community Trust

Rating100/100
Number of ratings2
Active installs4K
Alternatives

Hash Form – Drag & Drop Form Builder Alternatives

HT Contact Form – Drag & Drop Form Builder for WordPress

HT Contact Form – Drag & Drop Form Builder for WordPress

ht-contactform

A
88

The easiest drag & drop form builder for WordPress. Create contact forms, surveys, and lead capture forms in minutes with 38+ fields and 21+ integ &hellip;

9K 6 CVEs
VPSUForm – Drag & Drop Contact Form Builder with Email Automation

VPSUForm – Drag & Drop Contact Form Builder with Email Automation

v-form

A
92

A lightweight drag-and-drop WordPress form builder with email automation, conditional logic, spam protection, and full lead management.

200 7 CVEs
AFB – Auto Form Builder – Drag & Drop Form Creator

AFB – Auto Form Builder – Drag & Drop Form Creator

auto-form-builder

A
100

Auto Form Builder is the easiest drag-and-drop form builder for WordPress. Create contact forms, surveys, and multi-step forms in minutes.

100 No CVEs
GenForm – Drag & Drop Form Builder

GenForm – Drag & Drop Form Builder

genform

A
100

The lightweight drag-and-drop form builder for WordPress. Create contact forms, feedback forms, bookings, and more — no coding required.

20 No CVEs
Smart AI Forms – AI Form Builder for WordPress

Smart AI Forms – AI Form Builder for WordPress

smart-ai-forms-lite

A
100

The only WordPress form builder that generates complete forms from a plain English prompt. No API key needed. Drag, drop, or just describe it.

10 No CVEs
Developer Profile

Hash Form – Drag & Drop Form Builder Developer Profile

hashthemes

19 plugins · 66K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
98 days
View full developer profile
Detection Fingerprints

How We Detect Hash Form – Drag & Drop Form Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/hash-form/assets/css/frontend.css/wp-content/plugins/hash-form/assets/css/frontend.min.css/wp-content/plugins/hash-form/assets/js/frontend.js/wp-content/plugins/hash-form/assets/js/frontend.min.js/wp-content/plugins/hash-form/assets/js/recaptcha-v3.js/wp-content/plugins/hash-form/assets/js/recaptcha-v3.min.js/wp-content/plugins/hash-form/assets/js/validation.js/wp-content/plugins/hash-form/assets/js/validation.min.js+4 more
Script Paths
/wp-content/plugins/hash-form/assets/js/frontend.js/wp-content/plugins/hash-form/assets/js/recaptcha-v3.js/wp-content/plugins/hash-form/assets/js/validation.js/wp-content/plugins/hash-form/admin/classes/fields/assets/js/customizer.js
Version Parameters
hash-form/assets/css/frontend.css?ver=hash-form/assets/js/frontend.js?ver=hash-form/assets/js/recaptcha-v3.js?ver=hash-form/assets/js/validation.js?ver=hash-form/admin/classes/fields/assets/css/customizer.css?ver=hash-form/admin/classes/fields/assets/js/customizer.js?ver=

HTML / DOM Fingerprints

CSS Classes
hf-form-builderhf-field-wrapperhf-form-fieldhf-input-texthf-btn-submithf-form-title
HTML Comments
<!-- HashForm Form Start --><!-- HashForm Form End -->
Data Attributes
data-form-iddata-field-id
JS Globals
hashFormFrontendhf_globals
REST Endpoints
/wp-json/hash-form/v1/submit/wp-json/hash-form/v1/entry
Shortcode Output
[hash_form[hash_form_list
FAQ

Frequently Asked Questions about Hash Form – Drag & Drop Form Builder