WP-Safety

Contact Form By Mega Forms – Drag and Drop Form Builder Security & Risk Analysis

wordpress.org/plugins/mega-forms

Contact form builder that allows you to create forms for any purpose. Drag & drop form fields to build modern, professional contact forms in minutes.

200 active installs v1.6.9 PHP 7.4+ WP 5.0+ Updated Jan 20, 2026
ajax-formscustom-formdrag-and-drop-form-builderfile-upload-formsmulti-step-ajax-form
98
A · Safe
CVEs total2
Unpatched0
Last CVESep 3, 2025
Plugin page Download
Safety Verdict

Is Contact Form By Mega Forms – Drag and Drop Form Builder Safe to Use in 2026?

Generally Safe

Score 98/100

Contact Form By Mega Forms – Drag and Drop Form Builder has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Sep 3, 2025Updated 2mo ago
Risk Assessment

The plugin 'mega-forms' v1.6.9 presents a mixed security posture. While it demonstrates good practices in SQL query preparation (74%) and output escaping (64%), significant concerns arise from its attack surface. All 5 identified AJAX handlers lack proper authentication checks, making them prime targets for unauthorized actions. The taint analysis, while not revealing critical or high severity issues, did identify 6 flows with unsanitized paths, indicating a potential for vulnerabilities if malicious data is introduced. The vulnerability history shows a past pattern of Missing Authorization and Cross-site Scripting vulnerabilities, reinforcing the risk associated with the unprotected AJAX endpoints. Although there are no currently unpatched CVEs, the historical trend and the static analysis findings suggest a need for immediate attention to the lack of authorization checks on AJAX handlers to mitigate potential security risks.

Key Concerns

  • High attack surface without auth checks on AJAX
  • 6 unsanitized paths in taint analysis
  • Past vulnerabilities: Missing Authorization
  • Past vulnerabilities: XSS
  • Only 1 nonce check for 5 AJAX handlers
  • Only 4 capability checks for 5 AJAX handlers
Vulnerabilities
2

Contact Form By Mega Forms – Drag and Drop Form Builder Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-58639medium · 4.3Missing Authorization

Contact Form By Mega Forms <= 1.6.1 - Missing Authorization

Sep 3, 2025 Patched in 1.6.2 (7d)
CVE-2022-40191medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form By Mega Forms <= 1.2.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Sep 8, 2022 Patched in 1.2.5 (502d)
Code Analysis
Analyzed Mar 16, 2026

Contact Form By Mega Forms – Drag and Drop Form Builder Code Analysis

Dangerous Functions
0
Raw SQL Queries
33
92 prepared
Unescaped Output
241
425 escaped
Nonce Checks
1
Capability Checks
4
File Operations
22
External Requests
6
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

74% prepared125 total queries

Output Escaping

64% escaped666 total outputs
Data Flows
6 unsanitized

Data Flow Analysis

8 flows6 with unsanitized paths
header_actions (admin\class-mega-forms-admin.php:343)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
5 unprotected

Contact Form By Mega Forms – Drag and Drop Form Builder Attack Surface

Entry Points5
Unprotected5

AJAX Handlers 5

authwp_ajax_megaforms_admin_requestincludes\class-mega-forms.php:139
authwp_ajax_megaforms_public_requestincludes\class-mega-forms.php:143
noprivwp_ajax_megaforms_public_requestincludes\class-mega-forms.php:144
authwp_ajax_megaforms_file_handlerpro\class-mega-forms-pro.php:137
noprivwp_ajax_megaforms_file_handlerpro\class-mega-forms-pro.php:138
WordPress Hooks 43
filtercron_schedulescommon\partials\class-mega-forms-crons.php:29
actionmf_daily_taskscommon\partials\class-mega-forms-logger.php:57
actioninitcommon\partials\class-mega-forms-session.php:161
actioninitcommon\partials\class-mega-forms-session.php:174
actionshutdowncommon\partials\class-mega-forms-session.php:176
actionwp_logoutcommon\partials\class-mega-forms-session.php:178
actionwp_initialize_siteincludes\class-mega-forms.php:87
actionadmin_enqueue_scriptsincludes\class-mega-forms.php:91
actionwp_enqueue_scriptsincludes\class-mega-forms.php:92
actionshutdownincludes\class-mega-forms.php:95
actionplugins_loadedincludes\class-mega-forms.php:98
actioninitincludes\class-mega-forms.php:104
actionadmin_enqueue_scriptsincludes\class-mega-forms.php:121
actionadmin_enqueue_scriptsincludes\class-mega-forms.php:122
actionadmin_menuincludes\class-mega-forms.php:125
actionadmin_body_classincludes\class-mega-forms.php:128
actionadmin_initincludes\class-mega-forms.php:131
actionwp_enqueue_scriptsincludes\class-mega-forms.php:160
actionwp_enqueue_scriptsincludes\class-mega-forms.php:161
actiontemplate_redirectincludes\class-mega-forms.php:162
actionplugins_loadedmega-forms.php:109
actioninitmega-forms.php:124
filtermf_get_formpro\class-mega-forms-pro.php:70
filtermf_view_form_tag_attributespro\class-mega-forms-pro.php:73
actionmf_after_hidden_inputspro\class-mega-forms-pro.php:76
actionmf_footer_submit_beforepro\class-mega-forms-pro.php:78
actionmf_custom_submission_validationpro\class-mega-forms-pro.php:84
filtermf_ajax_submit_success_responsepro\class-mega-forms-pro.php:87
actionmf_webhook_retry_hookpro\class-mega-forms-pro.php:93
filtermf_process_form_actionpro\class-mega-forms-pro.php:96
actionmf_process_entry_actionspro\class-mega-forms-pro.php:99
actionmf_after_delete_entrypro\class-mega-forms-pro.php:102
actionmf_after_deletepro\class-mega-forms-pro.php:105
filtermf_merge_tag_valuepro\class-mega-forms-pro.php:108
actionadmin_enqueue_scriptspro\class-mega-forms-pro.php:125
actionadmin_enqueue_scriptspro\class-mega-forms-pro.php:126
filtermf_option_tabspro\class-mega-forms-pro.php:129
filtermf_settings_optionspro\class-mega-forms-pro.php:131
filtermf_form_settings_optionspro\class-mega-forms-pro.php:134
actionwp_enqueue_scriptspro\class-mega-forms-pro.php:155
actionwp_enqueue_scriptspro\class-mega-forms-pro.php:156
actiontemplate_redirectpro\class-mega-forms-pro.php:159
actionmf_form_view_output_beforepro\class-mega-forms-pro.php:161

Scheduled Events 1

mf_webhook_retry_hook
Maintenance & Trust

Contact Form By Mega Forms – Drag and Drop Form Builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJan 20, 2026
PHP min version7.4
Downloads11K

Community Trust

Rating100/100
Number of ratings11
Active installs200
Alternatives

Contact Form By Mega Forms – Drag and Drop Form Builder Alternatives

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

A
90

The best WordPress contact form plugin. Drag & Drop form builder to create beautiful contact forms, payment forms, & other custom forms.

6.0M 13 CVEs
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

fluentform

B
82

Get a fast contact form plugin. Create advanced forms using drag and drop form builder with all smart features.

600K 27 CVEs
Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Forminator Forms – Contact Form, Payment Form & Custom Form Builder

forminator

B
76

Best WordPress form builder plugin. Create contact forms, payment forms & order forms with 1000+ integrations.

600K 36 CVEs
MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

metform

A
87

The most popular Elementor forms builder to create WordPress forms like contact forms, booking forms, feedback form, survey forms, application forms a &hellip;

600K 26 CVEs
SureForms – Contact Form, Payment Form & Other Custom Form Builder

SureForms – Contact Form, Payment Form & Other Custom Form Builder

sureforms

A
88

The most beginner-friendly, AI Form Builder for WordPress to create contact forms, payment forms & other custom forms with advanced features, with &hellip;

400K 15 CVEs
Developer Profile

Contact Form By Mega Forms – Drag and Drop Form Builder Developer Profile

Ali Khallad

3 plugins · 340 total installs

75
trust score
Avg Security Score
94/100
Avg Patch Time
255 days
View full developer profile
Detection Fingerprints

How We Detect Contact Form By Mega Forms – Drag and Drop Form Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/mega-forms/admin/assets/css/deps/snackbar.min.css/wp-content/plugins/mega-forms/admin/assets/css/deps/select2.min.css/wp-content/plugins/mega-forms/assets/admin/css/styles.min.css/wp-content/plugins/mega-forms/admin/assets/js/deps/snackbar.min.js/wp-content/plugins/mega-forms/admin/assets/js/deps/select2.min.js
Version Parameters
mega-forms/assets/admin/css/styles.min.css?ver=mega-forms/admin/assets/css/deps/snackbar.min.css?ver=mega-forms/admin/assets/css/deps/select2.min.css?ver=mega-forms/admin/assets/js/deps/snackbar.min.js?ver=mega-forms/admin/assets/js/deps/select2.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
mf_pagemegaforms-admin-wrap
HTML Comments
The code that runs during plugin activation.The code that runs during plugin deactivation.The code that runs on plugin unistallation.Check if the plugin database was updated and perform any necessary actions.+13 more
Data Attributes
data-mf-namedata-mf-slug
JS Globals
mf_apimfVars
FAQ

Frequently Asked Questions about Contact Form By Mega Forms – Drag and Drop Form Builder