
HDForms | Contact Form Builder Security & Risk Analysis
wordpress.org/plugins/hdformsHDForms. The easiest way to create contact forms.
Is HDForms | Contact Form Builder Safe to Use in 2026?
Generally Safe
Score 95/100HDForms | Contact Form Builder has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.
The "hdforms" plugin v1.6.2 presents a mixed security posture. On the positive side, it demonstrates good practices by exclusively using prepared statements for SQL queries, indicating a strong defense against SQL injection. The high percentage of properly escaped output also suggests a reasonable effort to prevent cross-site scripting (XSS) vulnerabilities. However, significant concerns arise from its attack surface. With 5 total entry points, 3 of which lack authentication checks, there's a considerable risk of unauthorized access or manipulation.
The taint analysis, while showing no critical or high severity flows, did identify 2 flows with unsanitized paths. This is particularly concerning when coupled with the known history of a critical 'Path Traversal' vulnerability. Although the vulnerability is listed as unpatched, the presence of unsanitized paths in the code analysis strongly suggests that past vulnerabilities may not have been fully remediated or that similar issues could still exist.
While the plugin benefits from secure SQL practices and good output escaping, the unprotected AJAX handlers and the historical path traversal issue are significant weaknesses. The vulnerability history, particularly the critical path traversal, is a major red flag, even if currently marked as unpatched. This indicates a past susceptibility to severe attacks, and the presence of unsanitized paths in the code analysis reinforces this concern. Therefore, while there are strengths, the plugin's overall security is compromised by its exposed attack surface and historical vulnerabilities.
Key Concerns
- Unprotected AJAX handlers
- Unsanitized paths in taint analysis
- Historical critical path traversal vulnerability
- Large attack surface without auth
HDForms | Contact Form Builder Security Vulnerabilities
CVEs by Year
Severity Breakdown
1 total CVE
HDForms <= 1.6.1 - Unauthenticated Arbitrary File Deletion
HDForms | Contact Form Builder Release Timeline
HDForms | Contact Form Builder Code Analysis
Output Escaping
Data Flow Analysis
HDForms | Contact Form Builder Attack Surface
AJAX Handlers 4
Shortcodes 1
WordPress Hooks 13
Scheduled Events 1
Maintenance & Trust
HDForms | Contact Form Builder Maintenance & Trust
Maintenance Signals
Community Trust
HDForms | Contact Form Builder Alternatives
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More
wpforms-lite
The best WordPress contact form plugin. Drag & Drop form builder to create beautiful contact forms, payment forms, & other custom forms.
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
fluentform
Get a fast contact form plugin. Create advanced forms using drag and drop form builder with all smart features.
MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
metform
The most popular Elementor forms builder to create WordPress forms like contact forms, booking forms, feedback form, survey forms, application forms a …
Ninja Forms – The Contact Form Builder That Grows With You
ninja-forms
The 100% beginner friendly WordPress form builder. Drag & drop form fields to build beautiful, professional contact forms in minutes.
SureForms – Contact Form, Payment Form & Other Custom Form Builder
sureforms
The most beginner-friendly AI Form Builder for WordPress. Create contact, payment, quiz & custom forms with advanced features in minutes.
HDForms | Contact Form Builder Developer Profile
6 plugins · 8K total installs
How We Detect HDForms | Contact Form Builder
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/hdforms/includes/css/admin_style.css/wp-content/plugins/hdforms/includes/js/block.jsincludes/js/block.jshdf_admin_style?v=HTML / DOM Fingerprints
hdf_buttonhdf-itemhdf-item-radiohdf-labelhdf-hinthdf-check-rowhdf-options-checkhdf-radio-input+2 more<!-- mini HDForms :) -->data-iddata-valueHDF/wp-json/wp/v2/hdf_form[hdf form=