WP-Safety

HT Contact Form – Drag & Drop Form Builder for WordPress Security & Risk Analysis

wordpress.org/plugins/ht-contactform

The easiest drag & drop form builder for WordPress. Create contact forms, surveys, and lead capture forms in minutes with 38+ fields and 21+ integ …

9K active installs v2.8.2 PHP + WP 5.0+ Updated Mar 3, 2026
contact-formcustom-formdrag-and-dropform-builderforms
88
A · Safe
CVEs total6
Unpatched0
Last CVEJul 16, 2025
Plugin page Download
Safety Verdict

Is HT Contact Form – Drag & Drop Form Builder for WordPress Safe to Use in 2026?

Generally Safe

Score 88/100

HT Contact Form – Drag & Drop Form Builder for WordPress has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Jul 16, 2025Updated 1mo ago
Risk Assessment

The ht-contactform v2.8.2 plugin presents a mixed security posture. On one hand, it demonstrates good practices in its use of prepared statements for SQL queries (91%) and proper output escaping (90%), which are crucial for preventing common web vulnerabilities. The presence of numerous capability checks (29) also suggests an effort to enforce permissions. However, the static analysis reveals a significant concern: one AJAX handler lacks authentication checks, creating a direct attack vector. While the taint analysis shows no critical or high severity flows, two flows with unsanitized paths warrant attention as they could potentially lead to path traversal or include/require vulnerabilities if exploited in conjunction with other weaknesses.

The plugin's vulnerability history is a major red flag. With six known CVEs, including three critical ones, and a recent vulnerability in July 2025, the historical pattern indicates a recurring struggle with security. Common vulnerability types like Remote File Inclusion, Unrestricted Upload, Path Traversal, Improper Privilege Management, XSS, and CSRF suggest fundamental security flaws have been present in the past. While there are currently no unpatched CVEs, this history implies a higher likelihood of future vulnerabilities and suggests that past fixes may not have addressed root causes effectively.

In conclusion, while the plugin exhibits some positive security development practices, the untrusted AJAX entry point, potential unsanitized paths, and a problematic vulnerability history significantly increase its risk profile. The plugin's reliance on an outdated bundled library (Guzzle v1.1) further contributes to potential security weaknesses. Users should proceed with extreme caution and consider alternatives if possible.

Key Concerns

  • Unprotected AJAX handler
  • Flows with unsanitized paths
  • Bundled outdated library: Guzzle v1.1
  • Historically high number of CVEs
  • Past critical vulnerabilities
Vulnerabilities
6

HT Contact Form – Drag & Drop Form Builder for WordPress Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
5 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
3
Medium
3

6 total CVEs

CVE-2025-54015medium · 6.6Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

HT Contact Form 7 <= 2.0.0 - Authenticated (Administrator+) Local File Inclusion

Jul 16, 2025 Patched in 2.1.0 (7d)
CVE-2025-7340critical · 9.8Unrestricted Upload of File with Dangerous Type

HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. <= 2.2.1 - Unauthenticated Arbitrary File Upload

Jul 14, 2025 Patched in 2.2.2 (8d)
CVE-2025-7360critical · 9.1Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. <= 2.2.1 - Directory Traversal to Arbitrary File Move

Jul 14, 2025 Patched in 2.2.2 (8d)
CVE-2025-7341critical · 9.1Improper Privilege Management

HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. <= 2.2.1 - Unauthenticated Arbitrary File Deletion

Jul 14, 2025 Patched in 2.2.2 (8d)
CVE-2025-24726medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

HT Conctact Form 7 <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 24, 2025 Patched in 1.2.2 (5d)
CVE-2023-0484medium · 4.3Cross-Site Request Forgery (CSRF)

Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks <= 1.1.5 - Cross-Site Request Forgery to Arbitrary Plugin Activation

Feb 28, 2023 Patched in 1.1.6 (329d)
Code Analysis
Analyzed Mar 16, 2026

HT Contact Form – Drag & Drop Form Builder for WordPress Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
32 prepared
Unescaped Output
88
758 escaped
Nonce Checks
11
Capability Checks
29
File Operations
8
External Requests
33
Bundled Libraries
1

Bundled Libraries

Guzzle1.1

SQL Query Safety

91% prepared35 total queries

Output Escaping

90% escaped846 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

8 flows2 with unsanitized paths
handle_oauth_callback (admin\Includes\Api\Endpoints\Integrations\ZohoCRM.php:106)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

HT Contact Form – Drag & Drop Form Builder for WordPress Attack Surface

Entry Points16
Unprotected1

AJAX Handlers 9

authwp_ajax_ht_contactform_diagnostic_dataadmin\Includes\DiagnosticData.php:97
authwp_ajax_ht_contactform_noticesadmin\Includes\Notice.php:55
authwp_ajax_ht_form_temp_file_uploadinclude\Ajax.php:47
noprivwp_ajax_ht_form_temp_file_uploadinclude\Ajax.php:48
authwp_ajax_ht_form_temp_file_deleteinclude\Ajax.php:50
noprivwp_ajax_ht_form_temp_file_deleteinclude\Ajax.php:51
authwp_ajax_ht_form_mailchimp_field_tagsinclude\Integrations\Mailchimp.php:102
noprivwp_ajax_ht_form_mailchimp_field_tagsinclude\Integrations\Mailchimp.php:103
authwp_ajax_ht-contactform_ajax_plugin_activationinclude\recommended-plugins\class.recommended-plugins.php:88

REST API Routes 6

GET/wp-json/ht-form/v1/zohocrm/auth-urladmin\Includes\Api\Endpoints\Integrations\ZohoCRM.php:45
GET/wp-json/ht-form/v1/zohocrm/disconnectadmin\Includes\Api\Endpoints\Integrations\ZohoCRM.php:52
GET/wp-json/ht-form/v1/zohocrm/statusadmin\Includes\Api\Endpoints\Integrations\ZohoCRM.php:59
GET/wp-json/ht-form/v1/zohocrm/modulesadmin\Includes\Api\Endpoints\Integrations\ZohoCRM.php:66
GET/wp-json/ht-form/v1/zohocrm/fieldsadmin\Includes\Api\Endpoints\Integrations\ZohoCRM.php:73
GET/wp-json/ht-form/v1/zohocrm/data-centersadmin\Includes\Api\Endpoints\Integrations\ZohoCRM.php:87

Shortcodes 1

[ht_form] include\UI\ShortCode.php:113
WordPress Hooks 58
actionin_admin_headeradmin\Admin.php:23
actionadmin_menuadmin\Admin.php:24
actioninitadmin\Admin.php:25
actionadmin_initadmin\Admin.php:26
actionrest_api_initadmin\Includes\Api\Endpoints\Draft.php:59
actionrest_api_initadmin\Includes\Api\Endpoints\Entry.php:58
actionrest_api_initadmin\Includes\Api\Endpoints\Form.php:60
actionrest_api_initadmin\Includes\Api\Endpoints\Integrations\ActiveCampaign.php:58
actionrest_api_initadmin\Includes\Api\Endpoints\Integrations\ConstantContact.php:81
actionrest_api_initadmin\Includes\Api\Endpoints\Integrations\Drip.php:61
actionrest_api_initadmin\Includes\Api\Endpoints\Integrations\GetResponse.php:61
actionrest_api_initadmin\Includes\Api\Endpoints\Integrations\HubSpot.php:61
actionrest_api_initadmin\Includes\Api\Endpoints\Integrations\iContact.php:68
actionrest_api_initadmin\Includes\Api\Endpoints\Integrations\Mailchimp.php:60
actionrest_api_initadmin\Includes\Api\Endpoints\Integrations\MailerLite.php:60
actionrest_api_initadmin\Includes\Api\Endpoints\Integrations\MailPoet.php:55
actionrest_api_initadmin\Includes\Api\Endpoints\Integrations\Moosend.php:61
actionrest_api_initadmin\Includes\Api\Endpoints\Integrations\Notion.php:61
actionrest_api_initadmin\Includes\Api\Endpoints\Integrations\OnepageCRM.php:81
actionrest_api_initadmin\Includes\Api\Endpoints\Integrations\Trello.php:51
actionrest_api_initadmin\Includes\Api\Endpoints\Integrations\ZohoCRM.php:36
actionadmin_initadmin\Includes\Api\Endpoints\Integrations\ZohoCRM.php:37
actionrest_api_initadmin\Includes\Api\Endpoints\Integrations.php:90
actionrest_api_initadmin\Includes\Api\Endpoints\Settings.php:57
actionrest_api_initadmin\Includes\Api\Endpoints\Submission.php:60
actionrest_api_initadmin\Includes\Api\Endpoints\Utilities.php:37
actionadmin_enqueue_scriptsadmin\Includes\Assets.php:19
filterupload_mimesadmin\Includes\Assets.php:20
actionadmin_initadmin\Includes\DiagnosticData.php:107
actionadmin_headadmin\Includes\DiagnosticData.php:122
actionadmin_footeradmin\Includes\DiagnosticData.php:123
actionht_form_drafts_cleanupadmin\Includes\Models\Drafts.php:92
actionadmin_noticesadmin\Includes\Notice.php:51
actionht_contactform_admin_noticesadmin\Includes\Notice.php:52
actionadmin_footeradmin\Includes\Notice.php:54
actioninitadmin\Includes\PostTypes\FormPostType.php:16
actionenqueue_block_assetsblocks\block-init.php:33
actionenqueue_block_editor_assetsblocks\block-init.php:34
actioninitblocks\block-init.php:35
actionrest_api_initblocks\block-init.php:36
actioninitcontact-form-widget-elementor.php:55
actionactivated_plugincontact-form-widget-elementor.php:56
actionplugins_loadedcontact-form-widget-elementor.php:57
actionelementor/widgets/widgets_registeredcontact-form-widget-elementor.php:58
actioninitcontact-form-widget-elementor.php:59
actioninitcontact-form-widget-elementor.php:60
actioninitcontact-form-widget-elementor.php:97
actiontemplate_redirectcontact-form-widget-elementor.php:262
actionht_contactform_remove_old_entriesinclude\CronJob.php:62
actionht_form/after_submissioninclude\Integrations.php:59
actionadmin_menuinclude\recommended-plugins\class.recommended-plugins.php:84
actionadmin_enqueue_scriptsinclude\recommended-plugins\class.recommended-plugins.php:85
actioninitinclude\Services\FileManager.php:52
actionht_form_temp_files_cleanupinclude\Services\FileManager.php:53
filterht_form_submission_ip_restrictions_checkinclude\SubmissionHelper.php:33
filterht_form_submission_country_restrictions_checkinclude\SubmissionHelper.php:34
actionadmin_post_ht_form_submit_nojsinclude\UI\ShortCode.php:86
actionadmin_post_nopriv_ht_form_submit_nojsinclude\UI\ShortCode.php:87

Scheduled Events 3

ht_form_drafts_cleanup
ht_contactform_remove_old_entries
ht_form_temp_files_cleanup
Maintenance & Trust

HT Contact Form – Drag & Drop Form Builder for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 3, 2026
PHP min version
Downloads231K

Community Trust

Rating80/100
Number of ratings4
Active installs9K
Alternatives

HT Contact Form – Drag & Drop Form Builder for WordPress Alternatives

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

A
90

The best WordPress contact form plugin. Drag & Drop form builder to create beautiful contact forms, payment forms, & other custom forms.

6.0M 13 CVEs
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

fluentform

B
82

Get a fast contact form plugin. Create advanced forms using drag and drop form builder with all smart features.

600K 27 CVEs
SureForms – Contact Form, Payment Form & Other Custom Form Builder

SureForms – Contact Form, Payment Form & Other Custom Form Builder

sureforms

A
88

The most beginner-friendly, AI Form Builder for WordPress to create contact forms, payment forms & other custom forms with advanced features, with &hellip;

400K 15 CVEs
Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder

Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder

everest-forms

B
84

The best WordPress form builder. Create contact forms, payment forms, conversational forms, custom forms, surveys, & quizzes using drag and drop.

100K 12 CVEs
Ultra Addons for Contact Form 7

Ultra Addons for Contact Form 7

ultimate-addons-for-contact-form-7

B
82

50+ Essential Addons for Contact Form 7 - Conditional Fields, Multi Step, Redirection, Columns, WooCommerce, Mailchimp & more

60K 13 CVEs
Developer Profile

HT Contact Form – Drag & Drop Form Builder for WordPress Developer Profile

HT Plugins

23 plugins · 64K total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
124 days
View full developer profile
Detection Fingerprints

How We Detect HT Contact Form – Drag & Drop Form Builder for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ht-contactform/assets/css/htcontact-form-admin.css/wp-content/plugins/ht-contactform/assets/css/form.css/wp-content/plugins/ht-contactform/assets/lib/choices/choices.min.css/wp-content/plugins/ht-contactform/assets/lib/intl-tel-input/intlTelInput.min.css/wp-content/plugins/ht-contactform/assets/lib/flatpickr/flatpickr.min.css/wp-content/plugins/ht-contactform/assets/lib/country-select/countrySelect.min.css/wp-content/plugins/ht-contactform/assets/lib/choices/choices.min.js/wp-content/plugins/ht-contactform/assets/lib/intl-tel-input/IntlTelInput.min.js+4 more
Version Parameters
ht-contactform/assets/css/htcontact-form-admin.css?ver=ht-contactform/assets/css/form.css?ver=ht-contactform/assets/lib/choices/choices.min.css?ver=ht-contactform/assets/lib/intl-tel-input/IntlTelInput.min.css?ver=ht-contactform/assets/lib/flatpickr/flatpickr.min.css?ver=ht-contactform/assets/lib/country-select/countrySelect.min.css?ver=ht-contactform/assets/lib/choices/choices.min.js?ver=ht-contactform/assets/lib/intl-tel-input/IntlTelInput.min.js?ver=ht-contactform/assets/lib/inputmask/inputmask.min.js?ver=ht-contactform/assets/lib/flatpickr/flatpickr.min.js?ver=ht-contactform/assets/lib/country-select/countrySelect.min.js?ver=ht-contactform/assets/lib/axios/axios.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
ht-contact-form-builder
FAQ

Frequently Asked Questions about HT Contact Form – Drag & Drop Form Builder for WordPress