HDForms | Contact Form Builder Security & Risk Analysis

wordpress.org/plugins/hdforms

HDForms. The easiest way to create contact forms.

50 active installs v1.6.2 PHP 7.0+ WP 5.2.0+ Updated Apr 11, 2026
contactcontact-formformform-builderhdforms
95
A · Safe
CVEs total1
Unpatched0
Last CVEJan 13, 2026
Safety Verdict

Is HDForms | Contact Form Builder Safe to Use in 2026?

Generally Safe

Score 95/100

HDForms | Contact Form Builder has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Jan 13, 2026Updated 3mo ago
Risk Assessment

The "hdforms" plugin v1.6.2 presents a mixed security posture. On the positive side, it demonstrates good practices by exclusively using prepared statements for SQL queries, indicating a strong defense against SQL injection. The high percentage of properly escaped output also suggests a reasonable effort to prevent cross-site scripting (XSS) vulnerabilities. However, significant concerns arise from its attack surface. With 5 total entry points, 3 of which lack authentication checks, there's a considerable risk of unauthorized access or manipulation.

The taint analysis, while showing no critical or high severity flows, did identify 2 flows with unsanitized paths. This is particularly concerning when coupled with the known history of a critical 'Path Traversal' vulnerability. Although the vulnerability is listed as unpatched, the presence of unsanitized paths in the code analysis strongly suggests that past vulnerabilities may not have been fully remediated or that similar issues could still exist.

While the plugin benefits from secure SQL practices and good output escaping, the unprotected AJAX handlers and the historical path traversal issue are significant weaknesses. The vulnerability history, particularly the critical path traversal, is a major red flag, even if currently marked as unpatched. This indicates a past susceptibility to severe attacks, and the presence of unsanitized paths in the code analysis reinforces this concern. Therefore, while there are strengths, the plugin's overall security is compromised by its exposed attack surface and historical vulnerabilities.

Key Concerns

  • Unprotected AJAX handlers
  • Unsanitized paths in taint analysis
  • Historical critical path traversal vulnerability
  • Large attack surface without auth
Vulnerabilities
1 published

HDForms | Contact Form Builder Security Vulnerabilities

CVEs by Year

1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
1

1 total CVE

CVE-2025-68912critical · 9.1Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

HDForms <= 1.6.1 - Unauthenticated Arbitrary File Deletion

Jan 13, 2026 Patched in 1.6.2 (93d)
Version History

HDForms | Contact Form Builder Release Timeline

v1.6.2Current
v1.6.11 CVE
v1.61 CVE
v0.51 CVE
Code Analysis
Analyzed Apr 16, 2026

HDForms | Contact Form Builder Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
5
38 escaped
Nonce Checks
2
Capability Checks
2
File Operations
1
External Requests
0
Bundled Libraries
0

Output Escaping

88% escaped43 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths
hdf_submit_form (includes/functions.php:129)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

HDForms | Contact Form Builder Attack Surface

Entry Points5
Unprotected3

AJAX Handlers 4

authwp_ajax_hdf_save_formincludes/functions.php:83
authwp_ajax_hdf_submit_formincludes/functions.php:176
noprivwp_ajax_hdf_submit_formincludes/functions.php:177
authwp_ajax_hdf_get_form_listindex.php:104

Shortcodes 1

[hdf] index.php:43
WordPress Hooks 13
actionhdf_flood_cronincludes/functions.php:224
filterwp_mail_from_nameincludes/functions.php:433
filterhdf_actionsincludes/functions.php:567
actioninitincludes/post-type.php:57
actionadd_meta_boxesincludes/post-type.php:66
actionload-post.phpincludes/post-type.php:68
actionload-post-new.phpincludes/post-type.php:69
filterscreen_layout_columnsincludes/post-type.php:119
filterget_user_option_screen_layout_hdformincludes/post-type.php:126
filtermanage_hdf_form_posts_columnsincludes/post-type.php:138
actionmanage_hdf_form_posts_custom_columnincludes/post-type.php:146
actioninitindex.php:68
actionadmin_menuindex.php:118

Scheduled Events 1

hdf_flood_cron
Maintenance & Trust

HDForms | Contact Form Builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 11, 2026
PHP min version7.0
Downloads3K

Community Trust

Rating100/100
Number of ratings1
Active installs50
Developer Profile

HDForms | Contact Form Builder Developer Profile

Harmonic Design

6 plugins · 8K total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
186 days
View full developer profile
Detection Fingerprints

How We Detect HDForms | Contact Form Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/hdforms/includes/css/admin_style.css/wp-content/plugins/hdforms/includes/js/block.js
Script Paths
includes/js/block.js
Version Parameters
hdf_admin_style?v=

HTML / DOM Fingerprints

CSS Classes
hdf_buttonhdf-itemhdf-item-radiohdf-labelhdf-hinthdf-check-rowhdf-options-checkhdf-radio-input+2 more
HTML Comments
<!-- mini HDForms :) -->
Data Attributes
data-iddata-value
JS Globals
HDF
REST Endpoints
/wp-json/wp/v2/hdf_form
Shortcode Output
[hdf form=
FAQ

Frequently Asked Questions about HDForms | Contact Form Builder