WP-Safety

The Innovative Form Builder – IvyForms Security & Risk Analysis

wordpress.org/plugins/ivyforms

The most innovative WordPress Form Builder plugin. Build awesome contact, order, registration, custom forms, and more in minutes.

100 active installs v0.9.1 PHP 7.4+ WP 5.0+ Updated Mar 3, 2026
contact-formcustom-formformform-builderwp-forms
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is The Innovative Form Builder – IvyForms Safe to Use in 2026?

Generally Safe

Score 100/100

The Innovative Form Builder – IvyForms has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago
Risk Assessment

The "ivyforms" plugin v0.9.1 exhibits a mixed security posture. On the positive side, it demonstrates strong adherence to secure coding practices with a high percentage of SQL queries using prepared statements and properly escaped output. The plugin also has a clean vulnerability history, with no known CVEs recorded, suggesting a generally robust development and maintenance process.

However, there are significant concerns regarding its attack surface. The plugin exposes two AJAX handlers that lack authentication checks, presenting a clear entry point for unauthenticated attackers. The presence of the `unserialize` function, a known risky function, also raises a flag, especially if its input is not meticulously validated. While the taint analysis shows no critical or high-severity flows, the lack of authentication on AJAX endpoints coupled with the `unserialize` function creates potential for exploitation if attacker-controlled data can reach these functions.

In conclusion, while "ivyforms" benefits from good coding practices in areas like SQL and output handling, and has no historical vulnerabilities, the unprotected AJAX endpoints and the use of `unserialize` represent notable security weaknesses. These issues should be prioritized for remediation to enhance the plugin's overall security.

Key Concerns

  • Unprotected AJAX handlers
  • Dangerous function: unserialize
Vulnerabilities
None known

The Innovative Form Builder – IvyForms Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

The Innovative Form Builder – IvyForms Code Analysis

Dangerous Functions
1
Raw SQL Queries
3
93 prepared
Unescaped Output
6
116 escaped
Nonce Checks
2
Capability Checks
44
File Operations
10
External Requests
4
Bundled Libraries
1

Dangerous Functions Found

unserialize$serializable = unserialize($signature['serializable']);backend\scope-vendor\laravel\serializable-closure\src\Serializers\Signed.php:87

Bundled Libraries

DataTables

SQL Query Safety

97% prepared96 total queries

Output Escaping

95% escaped122 total outputs
Attack Surface
2 unprotected

The Innovative Form Builder – IvyForms Attack Surface

Entry Points3
Unprotected2

AJAX Handlers 2

authwp_ajax_ivyforms_apibackend\src\Plugin\Plugin.php:136
noprivwp_ajax_ivyforms_apibackend\src\Plugin\Plugin.php:137

Shortcodes 1

[ivyforms] backend\src\Plugin\Plugin.php:267
WordPress Hooks 18
actionadmin_initbackend\src\Plugin\AdminHooks.php:48
filteradmin_body_classbackend\src\Plugin\AdminHooks.php:49
actionadmin_enqueue_scriptsbackend\src\Plugin\AdminHooks.php:50
actionplugins_loadedbackend\src\Plugin\Plugin.php:127
actioninitbackend\src\Plugin\Plugin.php:130
actionrest_api_initbackend\src\Plugin\Plugin.php:133
actionwpmu_new_blogbackend\src\Plugin\Plugin.php:140
filterwp_script_attributesbackend\src\Plugin\Plugin.php:142
actioninitbackend\src\Plugin\Plugin.php:274
filterblock_categories_allbackend\src\Services\Integrations\Gutenberg\Blocks\GutenbergBlockAssets.php:30
actionenqueue_block_editor_assetsbackend\src\Services\Integrations\Gutenberg\Blocks\GutenbergBlockAssets.php:59
actionenqueue_block_assetsbackend\src\Services\Integrations\Gutenberg\Blocks\GutenbergBlockAssets.php:62
actionadmin_menubackend\src\Services\Menu\MenuManager.php:33
actionadmin_enqueue_scriptsbackend\src\Services\Menu\MenuManager.php:36
actionadmin_footerbackend\src\Services\Menu\MenuManager.php:58
actiontemplate_redirectbackend\src\Services\Preview\PreviewService.php:70
filtertemplate_includebackend\src\Services\Preview\PreviewService.php:71
filterpost_thumbnail_htmlbackend\src\Services\Preview\PreviewService.php:73
Maintenance & Trust

The Innovative Form Builder – IvyForms Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 3, 2026
PHP min version7.4
Downloads3K

Community Trust

Rating100/100
Number of ratings2
Active installs100
Alternatives

The Innovative Form Builder – IvyForms Alternatives

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

fluentform

B
82

Get a fast contact form plugin. Create advanced forms using drag and drop form builder with all smart features.

600K 27 CVEs
FormGlut — Contact, Newsletter & Multi-step Form Builder

FormGlut — Contact, Newsletter & Multi-step Form Builder

formglut

A
100

User friendly, Lightweight, Drag & Drop form builder to create your WordPress Forms

10 No CVEs
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

A
90

The best WordPress contact form plugin. Drag & Drop form builder to create beautiful contact forms, payment forms, & other custom forms.

6.0M 13 CVEs
MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

metform

A
87

The most popular Elementor forms builder to create WordPress forms like contact forms, booking forms, feedback form, survey forms, application forms a …

600K 26 CVEs
SureForms – Contact Form, Payment Form & Other Custom Form Builder

SureForms – Contact Form, Payment Form & Other Custom Form Builder

sureforms

A
88

The most beginner-friendly, AI Form Builder for WordPress to create contact forms, payment forms & other custom forms with advanced features, with …

400K 15 CVEs
Developer Profile

The Innovative Form Builder – IvyForms Developer Profile

wpDataTables

3 plugins · 71K total installs

65
trust score
Avg Security Score
80/100
Avg Patch Time
1032 days
View full developer profile
Detection Fingerprints

How We Detect The Innovative Form Builder – IvyForms

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ivyforms/frontend/assets/css/global-admin.css/wp-content/plugins/ivyforms/frontend/assets/js/admin-deactivation-modal.js
Script Paths
/wp-content/plugins/ivyforms/frontend/assets/js/admin-deactivation-modal.js
Version Parameters
ivyforms/style.css?ver=ivyforms-deactivation-modal?ver=ivyforms_admin_global?ver=

HTML / DOM Fingerprints

CSS Classes
ivyforms-fullscreen-mode
Data Attributes
data-ivyforms-block
JS Globals
ivyformsData
REST Endpoints
/ivyforms/v1/deactivation-feedback
FAQ

Frequently Asked Questions about The Innovative Form Builder – IvyForms