WP-Safety

Lead Form Builder & Contact Form Security & Risk Analysis

wordpress.org/plugins/lead-form-builder

Fast Drag & Drop Contact From Builder and Lead Generation Tool With Google One Tap Login. Supports Block Editor.

10K active installs v2.1.0 PHP + WP 5.5+ Updated Mar 13, 2026
contact-formcontact-form-builderlead-form-buildernewsletter-formresponsive-form
89
A · Safe
CVEs total10
Unpatched0
Last CVEMar 10, 2026
Download
Safety Verdict

Is Lead Form Builder & Contact Form Safe to Use in 2026?

Generally Safe

Score 89/100

Lead Form Builder & Contact Form has a strong security track record. Known vulnerabilities have been patched promptly.

10 known CVEsLast CVE: Mar 10, 2026Updated 21d ago
Risk Assessment

The plugin "lead-form-builder" v2.1.0 exhibits a mixed security posture. While it demonstrates good practices in SQL query preparation (88%) and output escaping (87%), and implements a reasonable number of nonce and capability checks, there are significant areas of concern. The presence of two unprotected AJAX handlers creates an immediate attack vector for unauthorized actions. The taint analysis reveals a high number of flows with unsanitized paths (13 out of 21 analyzed), including nine with high severity, suggesting potential for serious vulnerabilities like code injection or cross-site scripting if these flows are triggered by user input. The use of the `unserialize` function, flagged as a dangerous function, is another red flag, as it can lead to remote code execution if not handled with extreme caution and proper input validation.

The plugin's vulnerability history is a major concern, with ten known CVEs, including two high-severity vulnerabilities. While none are currently unpatched in this specific version, the recurring types of vulnerabilities (Exposure of Sensitive Information, Code Injection, CSRF, Missing Authorization, XSS) indicate a pattern of security weaknesses that have historically been exploited. The fact that the last vulnerability was dated in the future (2026-03-10) is likely an anomaly in the data provided and should be disregarded in a real-world assessment. Overall, while the plugin has some strengths in secure coding practices, the combination of unprotected entry points, critical taint flows, dangerous function usage, and a history of diverse, high-severity vulnerabilities points to a moderately high risk that requires careful attention and remediation.

Key Concerns

  • Unprotected AJAX handlers
  • High number of unsanitized taint flows (High severity)
  • Use of dangerous function: unserialize
  • Known CVEs: 2 High severity
  • Known CVEs: 8 Medium severity
  • Vulnerability types: Code Injection, CSRF, Missing Auth, XSS
Vulnerabilities
10

Lead Form Builder & Contact Form Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
2 CVEs in 2022
2022
4 CVEs in 2024
2024
1 CVE in 2025
2025
2 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

High
2
Medium
8

10 total CVEs

CVE-2026-1454high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Responsive Contact Form Builder & Lead Generation Plugin <= 2.0.1 - Unauthenticated Stored Cross-Site Scripting

Mar 10, 2026 Patched in 2.0.2 (1d)
CVE-2025-68046medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

Contact Form & Lead Form Elementor Builder <= 2.0.1 - Authenticated (Subscriber+) Information Exposure

Jan 20, 2026 Patched in 2.0.2 (36d)
CVE-2024-10475medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Responsive Contact Form Builder & Lead Generation Plugin <= 1.9.7 - Authenticated (Admin+) Stored Cross-Site Scripting

Mar 3, 2025 Patched in 1.9.8 (86d)
CVE-2024-4261medium · 5.4Improper Control of Generation of Code ('Code Injection')

Responsive Contact Form Builder & Lead Generation Plugin <= 1.9.1 - Authenticated (Subscriber+) Arbitrary Shortcode Execution

May 21, 2024 Patched in 1.9.2 (2d)
CVE-2024-3637medium · 6.6Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Responsive Contact Form Builder & Lead Generation Plugin <= 1.9.7 - Authenticated (Admin+) Stored Cross-Site Scripting

Apr 12, 2024 Patched in 1.9.8 (453d)
CVE-2024-1416medium · 4.3Cross-Site Request Forgery (CSRF)

Responsive Contact Form Builder & Lead Generation Plugin <= 1.8.9 - Missing Authorization

Apr 11, 2024 Patched in 1.9.0 (51d)
CVE-2024-1415medium · 4.3Cross-Site Request Forgery (CSRF)

Responsive Contact Form Builder & Lead Generation Plugin <= 1.8.9 - Cross-Site Request Forgery

Apr 11, 2024 Patched in 1.9.0 (41d)
CVE-2022-23180medium · 6.3Missing Authorization

Contact Form & Lead Form Elementor Builder < 1.7.4 - Arbitrary Settings Change

Feb 1, 2022 Patched in 1.7.4 (721d)
CVE-2022-23179medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Responsive Contact Form Builder & Lead Generation Plugin < 1.7.0 - Authenticated (Admin+) Stored Cross-Site Scripting

Jan 5, 2022 Patched in 1.7.0 (763d)
CVE-2021-24967high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form & Lead Form Elementor Builder <= 1.6.3 - Unauthenticated Stored Cross-Site Scripting

Nov 29, 2021 Patched in 1.6.4 (785d)
Code Analysis
Analyzed Mar 16, 2026

Lead Form Builder & Contact Form Code Analysis

Dangerous Functions
3
Raw SQL Queries
9
69 prepared
Unescaped Output
54
364 escaped
Nonce Checks
20
Capability Checks
21
File Operations
0
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

unserialize$multiData = unserialize($posts[0]->multiData);inc\front-end.php:9
unserialize$multiData = unserialize($posts[0]->multiData);inc\front-end.php:19
unserialize$this->smtpmail = isset($smtp[0]->ext_api)?unserialize($smtp[0]->ext_api):'';inc\lead-store-type.php:11

SQL Query Safety

88% prepared78 total queries

Output Escaping

87% escaped418 total outputs
Data Flows
13 unsanitized

Data Flow Analysis

21 flows13 with unsanitized paths
lfb_ajax_load_form_page (inc\ajax-functions.php:767)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Lead Form Builder & Contact Form Attack Surface

Entry Points23
Unprotected2

AJAX Handlers 22

authwp_ajax_lead_form_builderr_datablock\app.php:14
authwp_ajax_SaveLeadSettingsinc\ajax-functions.php:31
authwp_ajax_SaveEmailSettingsinc\ajax-functions.php:60
authwp_ajax_SaveCaptchaSettingsinc\ajax-functions.php:86
authwp_ajax_delete_leads_backendinc\ajax-functions.php:115
authwp_ajax_SaveCaptchaOptioninc\ajax-functions.php:140
authwp_ajax_ShowAllLeadThisForminc\ajax-functions.php:250
authwp_ajax_ShowLeadPagiinc\ajax-functions.php:373
authwp_ajax_ShowAllLeadThisFormDateinc\ajax-functions.php:511
authwp_ajax_Save_Form_Datainc\ajax-functions.php:611
noprivwp_ajax_Save_Form_Datainc\ajax-functions.php:612
authwp_ajax_verifyFormCaptchainc\ajax-functions.php:640
noprivwp_ajax_verifyFormCaptchainc\ajax-functions.php:641
authwp_ajax_RememberMeThisForminc\ajax-functions.php:659
authwp_ajax_SaveUserEmailSettingsinc\ajax-functions.php:704
authwp_ajax_lfb_bulk_delete_formsinc\ajax-functions.php:733
authwp_ajax_lfb_bulk_delete_leadsinc\ajax-functions.php:762
authwp_ajax_LFBLoadFormPageinc\ajax-functions.php:778
authwp_ajax_lfb_save_success_msginc\ajax-functions.php:802
authwp_ajax_lfb_duplicate_forminc\ajax-functions.php:835
authwp_ajax_th_activeplugininc\themehunk-menu\admin-menu.php:49
authwp_ajax_th_filter_pluginsinc\themehunk-menu\admin-menu.php:78

Shortcodes 1

[lead-form] inc\lf-shortcode.php:16
WordPress Hooks 22
filterblock_categories_allblock\app.php:17
actioninitblock\app.php:131
actioninitelementor\class-lfb-init.php:83
actionplugins_loadedelementor\class-lfb-init.php:84
actionelementor/frontend/after_enqueue_styleselementor\class-lfb-init.php:120
actionelementor/elements/categories_registeredelementor\class-lfb-init.php:150
actionelementor/widgets/widgets_registeredelementor\class-lfb-init.php:159
actionphpmailer_initinc\lead-store-type.php:19
actionadmin_initinc\lf-db.php:99
actionadmin_enqueue_scriptsinc\lf-install.php:30
actionwp_enqueue_scriptsinc\lf-install.php:39
actionadmin_menuinc\lf-install.php:56
filterwidget_textinc\lf-shortcode.php:17
actionwidgets_initinc\lfb-widget.php:7
actionadmin_menuinc\themehunk-menu\admin-menu.php:9
actionadmin_enqueue_scriptsinc\themehunk-menu\admin-menu.php:10
filterplugin_row_metalead-form-builder.php:38
actioninitlead-form-builder.php:84
actionadmin_initnotify\notify.php:14
actionadmin_noticesnotify\notify.php:17
actionadmin_enqueue_scriptsnotify\notify.php:18
actionadmin_noticesnotify\notify.php:23
Maintenance & Trust

Lead Form Builder & Contact Form Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 13, 2026
PHP min version
Downloads837K

Community Trust

Rating84/100
Number of ratings5
Active installs10K
Alternatives

Lead Form Builder & Contact Form Alternatives

Mailster Add-On for FormCraft

Mailster Add-On for FormCraft

formcraft-mymail

A
85

Create gorgeous optin forms for your site with FormCraft, and grow your Mailster list.

100 No CVEs
MailPoet Add-On for FormCraft

MailPoet Add-On for FormCraft

mailpoet-for-formcraft

A
85

Create gorgeous optin forms for your site with FormCraft, and grow your MailPoet list.

70 No CVEs
MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

metform

A
87

The most popular Elementor forms builder to create WordPress forms like contact forms, booking forms, feedback form, survey forms, application forms a &hellip;

600K 26 CVEs
RTMForm Builder

RTMForm Builder

romethemeform

A
99

RTMForm For Elementor Plugin is an Form Builder for Elementor, and Widget Ready to use.

30K 2 CVEs
Smart Grid-Layout Design for Contact Form 7

Smart Grid-Layout Design for Contact Form 7

cf7-grid-layout

A
92

This plugins allow pure CSS responsive grid layouts for contact form 7. It enables rich interlinking of your CMS data via taxonomy/posts populated dr &hellip;

10K No CVEs
Developer Profile

Lead Form Builder & Contact Form Developer Profile

ThemeHunk

48 plugins · 66K total installs

75
trust score
Avg Security Score
94/100
Avg Patch Time
189 days
View full developer profile
Detection Fingerprints

How We Detect Lead Form Builder & Contact Form

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/lead-form-builder/css/lfb-styler.css/wp-content/plugins/lead-form-builder/block/app.js/wp-content/plugins/lead-form-builder/inc/lf-db.js/wp-content/plugins/lead-form-builder/inc/inc.js/wp-content/plugins/lead-form-builder/notify/notify.js/wp-content/plugins/lead-form-builder/notify/notify.css
Script Paths
/wp-content/plugins/lead-form-builder/block/app.js/wp-content/plugins/lead-form-builder/inc/lf-db.js/wp-content/plugins/lead-form-builder/inc/inc.js/wp-content/plugins/lead-form-builder/notify/notify.js
Version Parameters
lead-form-builder/css/lfb-styler.css?ver=lead-form-builder/block/app.js?ver=lead-form-builder/inc/lf-db.js?ver=lead-form-builder/inc/inc.js?ver=lead-form-builder/notify/notify.js?ver=lead-form-builder/notify/notify.css?ver=

HTML / DOM Fingerprints

CSS Classes
lfb-form-containerlfb-input-fieldlfb-submit-buttonlfb-styler-widget
HTML Comments
<!--Lead Form Builder Start--><!--Lead Form Builder End--><!-- Elementor Lead Form Styler Widget -->
Data Attributes
data-lfb-form-iddata-lfb-form-settings
JS Globals
window.LFB_Ajaxvar leadFormBuilderAdmin;
REST Endpoints
/wp-json/lead-form-builder/v1/submit/wp-json/lead-form-builder/v1/get-form
Shortcode Output
[lead_form_builder id='']
FAQ

Frequently Asked Questions about Lead Form Builder & Contact Form