Does HTML Forms – Simple WordPress Forms Plugin have any unpatched vulnerabilities?

No. All known vulnerabilities in HTML Forms – Simple WordPress Forms Plugin have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is HTML Forms – Simple WordPress Forms Plugin compatible with WordPress 6.9.4?

According to WordPress.org data, HTML Forms – Simple WordPress Forms Plugin 1.6.4 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is HTML Forms – Simple WordPress Forms Plugin compatible with PHP 5.3+?

HTML Forms – Simple WordPress Forms Plugin requires PHP 5.3 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is HTML Forms – Simple WordPress Forms Plugin updated?

HTML Forms – Simple WordPress Forms Plugin was last updated on Mar 11, 2026. Frequent updates are generally a positive security signal.

What is HTML Forms – Simple WordPress Forms Plugin's security score?

HTML Forms – Simple WordPress Forms Plugin has a WP-Safety security score of 89/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

HTML Forms – Simple WordPress Forms Plugin Security & Risk Analysis

wordpress.org/plugins/html-forms

A simpler, faster, and smarter WordPress forms plugin.

10K active installs v1.6.4 PHP 5.3+ WP 4.6+ Updated Mar 11, 2026

contact-formemail-formformhtml-formupload-form

A · Safe

CVEs total9

Unpatched0

Last CVEDec 16, 2025

Plugin page Download

Safety Verdict

Is HTML Forms – Simple WordPress Forms Plugin Safe to Use in 2026?

Generally Safe

Score 89/100

HTML Forms – Simple WordPress Forms Plugin has a strong security track record. Known vulnerabilities have been patched promptly.

9 known CVEsLast CVE: Dec 16, 2025Updated 23d ago

Risk Assessment

The 'html-forms' plugin, version 1.6.4, exhibits a mixed security posture. While it demonstrates some good practices, such as a high percentage of prepared statements for SQL queries and a significant number of capability checks, there are several areas of concern. The presence of two AJAX handlers without authentication checks and three taint flows with unsanitized paths represent significant potential entry points for attackers. The vulnerability history is also a notable weakness, with a history of nine CVEs, including high and medium severity issues such as CSRF, XSS, and SQL Injection. Although there are currently no unpatched CVEs, the pattern of past vulnerabilities suggests a recurring struggle with secure coding practices in these areas.

Overall, the plugin has a moderate risk profile. The numerous past vulnerabilities, combined with the identified weaknesses in its current code analysis, point to a need for significant security improvements. While the plugin is actively maintained and has no unpatched CVEs at this time, the fundamental architectural issues like unprotected AJAX endpoints and unsanitized input flows mean that existing vulnerabilities could be reintroduced or new ones discovered. Users should exercise caution and ensure they are following best practices for plugin security, including regular updates and potential use of additional security hardening measures.

Key Concerns

Unprotected AJAX handlers
Taint flows with unsanitized paths (High severity)
High number of historical CVEs (9 total)
2 High severity historical CVEs
7 Medium severity historical CVEs
Output escaping is not fully implemented (61%)
Only 3 Nonce checks for 5 entry points

Vulnerabilities

HTML Forms – Simple WordPress Forms Plugin Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

1 CVE in 2023

2023

3 CVEs in 2024

2024

4 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

9 total CVEs

CVE-2025-13861medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

HTML Forms – Simple WordPress Forms Plugin <= 1.6.0 - Unauthenticated Stored Cross-Site Scripting

Dec 16, 2025 Patched in 1.6.1 (1d)

CVE-2025-12125medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

HTML Forms <= 1.5.5 - Authenticated (Admin+) Stored Cross-Site Scripting

Nov 7, 2025 Patched in 1.5.6 (1d)

CVE-2025-46236medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

HTML Forms <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 22, 2025 Patched in 1.5.3 (9d)

CVE-2025-31080high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

HTML Forms <= 1.5.1 - Unauthenticated Stored Cross-Site Scripting

Apr 1, 2025 Patched in 1.5.2 (9d)

CVE-2024-56060medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

HTML Forms <= 1.4.1 - Reflected Cross-Site Scripting

Dec 18, 2024 Patched in 1.4.2 (22d)

CVE-2024-6412medium · 4.3Cross-Site Request Forgery (CSRF)

HTML Forms – Simple WordPress Forms Plugin <= 1.3.33 - Cross-Site Request Forgery

Jul 10, 2024 Patched in 1.3.34 (31d)

CVE-2024-6243medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

HTML Forms – Simple WordPress Forms <= 1.3.32 - Authenticated (Admin+) Stored Cross-Site Scripting

Jul 1, 2024 Patched in 1.3.33 (40d)

CVE-2023-50836medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

HTML Forms <= 1.3.28 - Authenticated (Administrator+) Cross-Site Scripting

Dec 21, 2023 Patched in 1.3.30 (93d)

CVE-2022-3689high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

HTML Forms <= 1.3.24 - Authenticated (Administrator+) SQL Injection

Nov 7, 2022 Patched in 1.3.25 (442d)

Code Analysis

Analyzed Mar 16, 2026

HTML Forms – Simple WordPress Forms Plugin Code Analysis

Dangerous Functions

Raw SQL Queries

14 prepared

Unescaped Output

116 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

88% prepared16 total queries

Output Escaping

61% escaped190 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

4 flows3 with unsanitized paths

<page-overview> (views\page-overview.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

HTML Forms – Simple WordPress Forms Plugin Attack Surface

Entry Points5

Unprotected2

AJAX Handlers 4

authwp_ajax_hf_admin_actionsrc\admin\class-admin.php:32

authwp_ajax_hf_dismiss_recaptcha_noticesrc\admin\class-admin.php:33

authwp_ajax_hf_form_submitsrc\class-forms.php:31

noprivwp_ajax_hf_form_submitsrc\class-forms.php:32

Shortcodes 1

[hf_form] src\class-forms.php:62

WordPress Hooks 40

actionplugins_loadedhtml-forms.php:75

actioninithtml-forms.php:76

actionadd_user_to_bloghtml-forms.php:81

actionwp_insert_sitehtml-forms.php:84

filterhf_available_form_actionssrc\actions\class-action.php:14

actionadmin_menusrc\admin\class-admin.php:25

actioninitsrc\admin\class-admin.php:26

actionadmin_initsrc\admin\class-admin.php:27

actionadmin_initsrc\admin\class-admin.php:28

actionadmin_print_stylessrc\admin\class-admin.php:29

actionadmin_headsrc\admin\class-admin.php:30

actionhf_admin_action_create_formsrc\admin\class-admin.php:31

actionhf_admin_action_save_formsrc\admin\class-admin.php:34

actionhf_admin_action_bulk_delete_submissionssrc\admin\class-admin.php:35

actionhf_admin_output_form_tab_fieldssrc\admin\class-admin.php:37

actionhf_admin_output_form_tab_messagessrc\admin\class-admin.php:38

actionhf_admin_output_form_tab_settingssrc\admin\class-admin.php:39

actionhf_admin_output_form_tab_actionssrc\admin\class-admin.php:40

actionhf_admin_output_form_tab_submissionssrc\admin\class-admin.php:41

actionhf_admin_output_form_tab_submissionssrc\admin\class-admin.php:42

actionenqueue_block_editor_assetssrc\admin\class-admin.php:43

filtermanage_toplevel_page_html-forms_columnssrc\admin\class-admin.php:240

filterwp_privacy_personal_data_exporterssrc\admin\class-gdpr.php:9

filterwp_privacy_personal_data_eraserssrc\admin\class-gdpr.php:10

filterhf_ignored_field_namessrc\admin\class-hcaptcha.php:7

actionhf_admin_output_form_messagessrc\admin\class-recaptcha.php:24

filterhf_ignored_field_namessrc\admin\class-recaptcha.php:28

filterhf_validate_formsrc\admin\class-recaptcha.php:29

filterhf_form_markupsrc\admin\class-recaptcha.php:30

filterhf_form_htmlsrc\admin\class-recaptcha.php:31

actionadmin_noticessrc\admin\class-recaptcha.php:33

actioninitsrc\class-forms.php:30

actioninitsrc\class-forms.php:33

actionwp_enqueue_scriptssrc\class-forms.php:34

actionparse_requestsrc\class-forms.php:35

filterhf_form_markupsrc\class-forms.php:36

filterscript_loader_tagsrc\class-forms.php:78

filterpre_handle_404src\class-forms.php:364

actiontemplate_redirectsrc\class-forms.php:366

actionhf_admin_form_submissions_table_output_column_headerviews\tab-submissions-list.php:7

Maintenance & Trust

HTML Forms – Simple WordPress Forms Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 11, 2026

PHP min version5.3

Downloads252K

Community Trust

Rating98/100

Number of ratings56

Active installs10K

Alternatives

HTML Forms – Simple WordPress Forms Plugin Alternatives

WPZOOM Forms – Drag & Drop Contact Form Builder for WordPress

wpzoom-forms

100

Drag & drop contact form builder for WordPress. Create contact forms, custom forms, email forms with spam protection. Works with Elementor, shortcodes

10K No CVEs

Contact Form Widget

new-contact-form-widget

Create contact forms with query table management. Simple setup, secure submissions, and easy customization for your site.

1K 1 unpatched

Quick Contact Form

quick-contact-form

An easy to set up, plug and play contact form with a huge range of options and styles. A beginner friendly WordPress contact form plugin.

1K 7 CVEs

modeloform

Este plugin construye un formulario de correo electrónico con los campos habituales, listo para usar. Dirige los mensajes al mail de administración de …

300 No CVEs

CF7 Inbound Organizer

cf7-inbound-organizer

Inbound messages from Contact Form 7 are organized on a board with 2 to 5 columns to track message processing. Depends on CF7 and Flamingo.

50 No CVEs

Developer Profile

HTML Forms – Simple WordPress Forms Plugin Developer Profile

Link Software LLC

4 plugins · 23K total installs

trust score

Avg Security Score

97/100

Avg Patch Time

94 days

View full developer profile

Detection Fingerprints

How We Detect HTML Forms – Simple WordPress Forms Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/html-forms/assets/css/admin.css/wp-content/plugins/html-forms/assets/js/gutenberg-block.js/wp-content/plugins/html-forms/assets/js/admin.js

Script Paths

/wp-content/plugins/html-forms/assets/js/gutenberg-block.js/wp-content/plugins/html-forms/assets/js/admin.js

Version Parameters

html-forms/assets/css/admin.css?ver=html-forms/assets/js/gutenberg-block.js?ver=html-forms/assets/js/admin.js?ver=

HTML / DOM Fingerprints

Data Attributes

data-hf-form-iddata-hf-form-slug

JS Globals

html_formshf_options

Shortcode Output

[html_form id="[html_form slug="

FAQ