WP-Safety

Magic Conversation For Gravity Forms Security & Risk Analysis

wordpress.org/plugins/magic-conversation-for-gravity-forms

Magic Conversation For Gravity Forms is a WordPress conversational form plugin that let's you convert a Gravity Form into a conversational form.

10 active installs v3.0.100 PHP + WP 3.9+ Updated Mar 24, 2026
contact-formconversational-formmobile-friendlyresponsive
99
A · Safe
CVEs total1
Unpatched0
Last CVEApr 7, 2026
Download
Safety Verdict

Is Magic Conversation For Gravity Forms Safe to Use in 2026?

Generally Safe

Score 99/100

Magic Conversation For Gravity Forms has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Apr 7, 2026Updated 1mo ago
Risk Assessment

The "magic-conversation-for-gravity-forms" plugin v3.0.100 exhibits a mixed security posture. While it demonstrates good practices by using prepared statements for all SQL queries and has no currently unpatched CVEs, several areas raise concern. The static analysis reveals a significant portion of output (49%) is not properly escaped, creating a risk of Cross-Site Scripting (XSS) vulnerabilities, which is further corroborated by its vulnerability history. The plugin also lacks nonce and capability checks on its entry points, exposing it to potential CSRF and privilege escalation attacks if any of its entry points are exploited. The presence of `ini_set` without context also warrants scrutiny as it can sometimes be misused.

Despite the 1 medium CVE in its history, which was related to XSS and is now patched, the ongoing issue with unescaped output is a persistent concern. The taint analysis shows no critical or high severity flows with unsanitized paths, which is a positive sign. However, the presence of 8 flows with unsanitized paths, even if classified as lower severity or not leading to critical vulnerabilities in this analysis, indicates potential weaknesses that could be exploited in conjunction with other factors. The outdated jQuery library, while not a direct critical risk in isolation, can sometimes be a vector for exploits if specific vulnerabilities exist within that version.

In conclusion, the plugin has strengths in its SQL handling and a clean recent vulnerability record. However, the high percentage of unescaped output, the lack of robust authentication/authorization checks on its entry points, and the presence of unsanitized paths in taint flows represent notable security weaknesses that require attention. The previous XSS vulnerability further emphasizes the need for strict output sanitization.

Key Concerns

  • Unescaped output (49%)
  • No nonce checks
  • No capability checks
  • 8 flows with unsanitized paths
  • Bundled outdated library (jQuery v1.7.2)
  • Dangerous function: ini_set
Vulnerabilities
1 published

Magic Conversation For Gravity Forms Security Vulnerabilities

CVEs by Year

1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2026-1396medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Magic Conversation For Gravity Forms <= 3.0.97 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

Apr 7, 2026 Patched in 3.0.98 (1d)
Version History

Magic Conversation For Gravity Forms Release Timeline

No version history available.
Code Analysis
Analyzed Apr 16, 2026

Magic Conversation For Gravity Forms Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
1 prepared
Unescaped Output
105
109 escaped
Nonce Checks
0
Capability Checks
0
File Operations
2
External Requests
1
Bundled Libraries
1

Dangerous Functions Found

ini_setini_set('display_errors', 1);yakker-form.php:371

Bundled Libraries

jQuery1.7.2

SQL Query Safety

100% prepared1 total queries

Output Escaping

51% escaped214 total outputs
Data Flows · Security
8 unsanitized

Data Flow Analysis

8 flows8 with unsanitized paths
_gf_button_get_form (main.php:575)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Magic Conversation For Gravity Forms Attack Surface

Entry Points2
Unprotected0

Shortcodes 2

[magic-conversation] main.php:1570
[magic-conversation-button] main.php:1571
WordPress Hooks 33
actionadmin_initapi.php:16
actionadmin_menuconversation-questions.php:29
filtergettextconversation-questions.php:31
actionadmin_head-edit-tags.phpconversation-questions.php:34
filtergettext_with_contextconversation-questions.php:49
actionadmin_menucss-generator.php:5
actionadmin_initcss-generator.php:6
filterpre_update_option_mcfgf_conversation_generatorcss-generator.php:66
actionadmin_menudemo.php:5
filterwoocommerce_add_errorfunctions.php:282
filtergform_pre_renderfunctions.php:383
filtergform_pre_validationfunctions.php:384
filtergform_pre_submission_filterfunctions.php:385
filtergform_admin_pre_renderfunctions.php:386
actionadmin_menuhelp.php:5
actionprint_media_templatesmain.php:1584
actionmedia_buttonsmain.php:1590
actionadmin_print_footer_scriptsmain.php:1592
actionadmin_initsettings.php:23
actionadmin_menusettings.php:24
filtergform_form_tagsideform.php:217
actionadmin_noticesupgrade.php:6
actionadmin_menuwoo-product-picker-generator.php:4
filterwoocommerce_rest_check_permissionsyakker-form.php:197
filterwoocommerce_rest_prepare_product_variation_objectyakker-form.php:199
filterwoocommerce_product_add_to_cart_urlyakker-form.php:201
filterwoocommerce_rest_prepare_product_objectyakker-form.php:203
filtergform_replace_merge_tagsyakker-form.php:341
filtergform_submit_buttonyakker-gravityforms/class-gfyakkeraddon.php:55
actiongform_after_submissionyakker-gravityforms/class-gfyakkeraddon.php:56
actiongform_loadedyakker-gravityforms/gfyakkeraddon.php:4
filtergform_suppress_confirmation_redirectyakker.php:283
filtergform_mollie_return_urlyakker.php:285
Maintenance & Trust

Magic Conversation For Gravity Forms Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 24, 2026
PHP min version
Downloads4K

Community Trust

Rating100/100
Number of ratings1
Active installs10
Alternatives

Magic Conversation For Gravity Forms Alternatives

Magic Tooltips For Contact Form 7

Magic Tooltips For Contact Form 7

magic-tooltips-for-contact-form-7

A
100

Magic Tooltips For Contact Form 7 is a WordPress Contact Form 7 tooltip plugin that let's you add tooltips to the Contact Form 7 form fields.

700 No CVEs
WPtouch – Make your WordPress Website Mobile-Friendly

WPtouch – Make your WordPress Website Mobile-Friendly

wptouch

A
86

With just a few clicks, make your WordPress website mobile-friendly (iPhone, Android, and more). Recommended by Google, it will instantly enable a mob &hellip;

50K 10 CVEs
Smart Grid-Layout Design for Contact Form 7

Smart Grid-Layout Design for Contact Form 7

cf7-grid-layout

A
92

This plugins allow pure CSS responsive grid layouts for contact form 7. It enables rich interlinking of your CMS data via taxonomy/posts populated dr &hellip;

10K No CVEs
Responsive Mobile-Friendly Tooltip

Responsive Mobile-Friendly Tooltip

responsive-mobile-friendly-tooltip

C
63

A WordPress plugin that helps you create responsive and mobile-friendly tooltip to present tiny amount of hidden content - the tip.

700 1 unpatched
Responsive Mailform ( Plugin Version ) – easy, responsive, contact, mailform

Responsive Mailform ( Plugin Version ) – easy, responsive, contact, mailform

responsive-mailform

A
100

This is a WordPress plugin version of the program "Responsive Mailform" that is available for free on my website.

500 No CVEs
Developer Profile

Magic Conversation For Gravity Forms Developer Profile

magicplugins

3 plugins · 720 total installs

100
trust score
Avg Security Score
100/100
Avg Patch Time
1 days
View full developer profile
Detection Fingerprints

How We Detect Magic Conversation For Gravity Forms

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/magic-conversation-for-gravity-forms/assets/css-generator/css/jquery.miniColors.css/wp-content/plugins/magic-conversation-for-gravity-forms/assets/css-generator/css/style.css/wp-content/plugins/magic-conversation-for-gravity-forms/assets/css-generator/css/init.css/wp-content/plugins/magic-conversation-for-gravity-forms/assets/css-generator/css/../../css/custom.css/wp-content/plugins/magic-conversation-for-gravity-forms/assets/css-generator/js/libs/jquery.mousewheel.min.js/wp-content/plugins/magic-conversation-for-gravity-forms/assets/css-generator/js/libs/jquery.miniColors.min.js/wp-content/plugins/magic-conversation-for-gravity-forms/assets/css-generator/js/libs/jquery.cookie.js/wp-content/plugins/magic-conversation-for-gravity-forms/assets/css-generator/js/mcfgf.js
Script Paths
/wp-content/plugins/magic-conversation-for-gravity-forms/assets/css-generator/js/libs/jquery.mousewheel.min.js/wp-content/plugins/magic-conversation-for-gravity-forms/assets/css-generator/js/libs/jquery.miniColors.min.js/wp-content/plugins/magic-conversation-for-gravity-forms/assets/css-generator/js/libs/jquery.cookie.js/wp-content/plugins/magic-conversation-for-gravity-forms/assets/css-generator/js/mcfgf.js
Version Parameters
magic-conversation-for-gravity-forms/assets/css-generator/css/style.css?ver=magic-conversation-for-gravity-forms/assets/css-generator/css/init.css?ver=magic-conversation-for-gravity-forms/assets/css-generator/css/../../css/custom.css?ver=magic-conversation-for-gravity-forms/assets/css-generator/js/libs/jquery.mousewheel.min.js?ver=magic-conversation-for-gravity-forms/assets/css-generator/js/libs/jquery.miniColors.min.js?ver=magic-conversation-for-gravity-forms/assets/css-generator/js/libs/jquery.cookie.js?ver=magic-conversation-for-gravity-forms/assets/css-generator/js/mcfgf.js?ver=

HTML / DOM Fingerprints

CSS Classes
mcfgf-conversation-generator-sectionmcfgf_conversation_generator_section_callbackmcfgf_conversation_generator_css_code_rendermcfgf_conversation_generator_css_options_rendermcfgf_conversation_generator_js_code_rendermcfgf_conversation_generator_avatar_robot_rendermcfgf_conversation_generator_avatar_user_render
Data Attributes
data-option-value
JS Globals
MCFGFP_VER
FAQ

Frequently Asked Questions about Magic Conversation For Gravity Forms