WP-Safety

MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor Security & Risk Analysis

wordpress.org/plugins/metform

The most popular Elementor forms builder to create WordPress forms like contact forms, booking forms, feedback form, survey forms, application forms a …

600K active installs v4.1.3 PHP 7.4+ WP 5.0+ Updated Mar 3, 2026
contact-form-buildercustom-formelementor-formform-buildermulti-step-form
87
A · Safe
CVEs total26
Unpatched0
Last CVEJan 23, 2026
Plugin page Download
Safety Verdict

Is MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor Safe to Use in 2026?

Generally Safe

Score 87/100

MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor has a strong security track record. Known vulnerabilities have been patched promptly.

26 known CVEsLast CVE: Jan 23, 2026Updated 1mo ago
Risk Assessment

The Metform plugin, version 4.1.3, exhibits a mixed security posture. On the positive side, it demonstrates good practices with 100% of its SQL queries using prepared statements and a high percentage (90%) of output properly escaped. The absence of critical or high-severity taint analysis findings is also encouraging, suggesting that core data handling might be relatively secure. The plugin also implements a good number of nonce and capability checks, indicating an awareness of common WordPress security mechanisms.

However, significant concerns arise from its vulnerability history and attack surface. The plugin has a substantial track record of 26 known CVEs, with a recent vulnerability in January 2026, although none are currently unpatched. The common vulnerability types, including Improper Authentication, SSRF, Unrestricted Uploads, and XSS, suggest recurring weaknesses in how user input is handled and access controls are implemented. The attack surface analysis reveals 15 total entry points, with one AJAX handler lacking authentication checks, which represents a direct, exploitable vulnerability if that handler is accessible and processable without proper authorization.

Overall, while Metform has some strengths in its code, the extensive and recurring vulnerability history, coupled with a less-than-fully-protected attack surface, points to a plugin that requires careful monitoring and prompt updating. Users should be aware of the past issues and ensure they are on the latest version to mitigate risks from historical vulnerabilities.

Key Concerns

  • AJAX handler without auth check
  • Extensive vulnerability history (26 CVEs)
  • Recurring high-severity vulnerability types
Vulnerabilities
26

MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
16 CVEs in 2023
2023
6 CVEs in 2024
2024
2 CVEs in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
4
Medium
21
Low
1

26 total CVEs

CVE-2026-0633low · 3.7Improper Authentication

MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor <= 4.1.0 - Unauthenticated Form Submission Exposure via Forgeable Cookie Value

Jan 23, 2026 Patched in 4.1.1 (1d)
CVE-2025-5684medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MetForm <= 4.0.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via `mf-template` DOM Element

Jul 29, 2025 Patched in 4.0.2 (1d)
CVE-2025-30914medium · 5.5Server-Side Request Forgery (SSRF)

Metform <= 3.9.2 - Authenticated (Admin+) Server-Side Request Forgery

Mar 27, 2025 Patched in 3.9.3 (8d)
CVE-2023-0714high · 8.1Unrestricted Upload of File with Dangerous Type

Metform Elementor Contact Form Builder <= 3.2.4 - Unauthenticated Double-Extension Arbitrary File Upload

Aug 16, 2024 Patched in 3.3.0 (1d)
CVE-2024-4266medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor <= 3.8.8 - Unauthenticated Sensitive Information Exposure

Jun 10, 2024 Patched in 3.8.9 (1d)
CVE-2024-33570medium · 4.3Missing Authorization

Metform Elementor Contact Form Builder <= 3.8.3 - Missing Authorization to Notice Dismissal

Apr 25, 2024 Patched in 3.8.4 (7d)
CVE-2024-2791medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Metform Elementor Contact Form Builder <= 3.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widgets

Apr 1, 2024 Patched in 3.8.6 (1d)
CVE-2024-1585medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Metform Elementor Contact Form Builder <= 3.8.3 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

Mar 7, 2024 Patched in 3.8.4 (86d)
CVE-2023-6788medium · 5.4Cross-Site Request Forgery (CSRF)

Metform Elementor Contact Form Builder <= 3.8.1 - Cross-Site Request Forgery

Jan 8, 2024 Patched in 3.8.2 (204d)
CVE-2023-50903medium · 5.3Missing Authorization

Metform Elementor Contact Form Builder <= 3.4.0 - Missing Authorization via submit

Dec 26, 2023 Patched in 3.4.1 (28d)
CVE-2023-0689medium · 4.3Authorization Bypass Through User-Controlled Key

Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via 'mf_first_name' shortcode

Aug 30, 2023 Patched in 3.3.2 (146d)
CVE-2023-2517medium · 5.4Cross-Site Request Forgery (CSRF)

Metform Elementor Contact Form Builder <= 3.3.2 - Cross-Site Request Forgery via permalink_setup

Jun 22, 2023 Patched in 3.3.3 (215d)
CVE-2023-0694medium · 6.5Authorization Bypass Through User-Controlled Key

Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via mf shortcode

Jun 8, 2023 Patched in 3.3.2 (229d)
CVE-2023-0695medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Metform Elementor Contact Form Builder <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via mf shortcode

Jun 8, 2023 Patched in 3.3.1 (229d)
CVE-2023-0693medium · 6.5Authorization Bypass Through User-Controlled Key

Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via 'mf_transaction_id' shortcode

Jun 8, 2023 Patched in 3.3.2 (229d)
CVE-2023-0709medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Metform Elementor Contact Form Builder <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via mf_last_name shortcode

Jun 8, 2023 Patched in 3.3.1 (229d)
CVE-2023-0688medium · 6.5Authorization Bypass Through User-Controlled Key

Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via mf_thankyou shortcode

Jun 8, 2023 Patched in 3.3.2 (229d)
CVE-2023-0710medium · 4.9Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Metform Elementor Contact Form Builder <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via mf_thankyou shortcode

Jun 8, 2023 Patched in 3.3.1 (229d)
CVE-2023-0691medium · 4.3Authorization Bypass Through User-Controlled Key

Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via mf_last_name shortcode

Jun 8, 2023 Patched in 3.3.2 (229d)
CVE-2023-0708medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Metform Elementor Contact Form Builder <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via mf_first_name shortcode

Jun 8, 2023 Patched in 3.3.1 (229d)
CVE-2023-0721high · 8.3Improper Neutralization of Formula Elements in a CSV File

Metform Elementor Contact Form Builder <= 3.3.0 - Unauthenticated CSV Injection

Jun 8, 2023 Patched in 3.3.1 (229d)
CVE-2023-0692medium · 4.3Authorization Bypass Through User-Controlled Key

Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via 'mf_payment_status' shortcode

Jun 8, 2023 Patched in 3.3.2 (229d)
CVE-2023-1843medium · 6.5Missing Authorization

Metform Elementor Contact Form Builder <= 3.3.0 - Missing Authorization

May 4, 2023 Patched in 3.3.2 (264d)
CVE-2023-0085medium · 5.3Protection Mechanism Failure

Metform Elementor Contact Form Builder <= 3.2.1 - reCaptcha Protection Bypass

Mar 2, 2023 Patched in 3.2.2 (327d)
CVE-2023-0084high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Metform Elementor Contact Form Builder <= 3.1.2 - Unauthenticated Stored Cross-Site Scripting

Feb 2, 2023 Patched in 3.2.0 (355d)
CVE-2022-1442high · 7.5Missing Authorization

Metform Elementor Contact Form Builder <= 2.1.3 - Sensitive Information Disclosure

Apr 23, 2022 Patched in 2.1.4 (640d)
Code Analysis
Analyzed Mar 16, 2026

MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
4 prepared
Unescaped Output
172
1565 escaped
Nonce Checks
19
Capability Checks
48
File Operations
7
External Requests
22
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

100% prepared4 total queries

Output Escaping

90% escaped1737 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
contents (core\integrations\crm\hubspot\loader.php:154)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor Attack Surface

Entry Points15
Unprotected1

AJAX Handlers 8

authwp_ajax_metform_admin_settingscore\admin\base.php:30
authwp_ajax_check_built_templatecore\integrations\emailkit-builder.php:17
authwp_ajax_mf_admin_actioncore\integrations\onboard\classes\ajax.php:12
authwp_ajax_mf_onboard_pluginscore\integrations\onboard\classes\ajax.php:13
authwp_ajax_metform_admin_actionplugin.php:24
authwp_ajax_wpmet-noticesutils\notice\notice.php:369
authwp_ajax_wpmet_rating_never_show_messageutils\rating\rating.php:145
authwp_ajax_wpmet_rating_ask_me_later_messageutils\rating\rating.php:146

Shortcodes 7

[metform] base\shortcode.php:17
[mf_thankyou] base\shortcode.php:18
[mf_first_name] base\shortcode.php:19
[mf_last_name] base\shortcode.php:20
[mf_payment_status] base\shortcode.php:21
[mf_transaction_id] base\shortcode.php:22
[mf] base\shortcode.php:23
WordPress Hooks 74
actionrest_api_initbase\api.php:24
actioninitbase\cpt.php:12
actionadmin_footercontrols\admin-add-new-form.php:9
actionelementor/controls/controls_registeredcontrols\base.php:25
actionelementor/frontend/after_enqueue_stylescontrols\base.php:28
actionelementor/frontend/after_enqueue_scriptscontrols\base.php:29
actionelementor/editor/after_enqueue_stylescontrols\form-picker-utils.php:9
actionadmin_menucore\admin\base.php:28
actionadmin_initcore\admin\base.php:29
filterupload_mimescore\entries\action.php:1177
filterupload_dircore\entries\action.php:1181
filtermanage_metform-entry_posts_columnscore\entries\hooks.php:13
actionmanage_metform-entry_posts_custom_columncore\entries\hooks.php:14
filterparse_querycore\entries\hooks.php:15
filterwp_mail_from_namecore\entries\hooks.php:16
filterupload_mimescore\entries\hooks.php:17
actionbefore_delete_postcore\entries\hooks.php:25
actionsave_postcore\entries\meta-data.php:25
actionadd_meta_boxescore\entries\meta-data.php:26
actionadd_meta_boxescore\entries\meta-data.php:27
actionadd_meta_boxescore\entries\meta-data.php:29
actionadd_meta_boxescore\entries\meta-data.php:30
actionadmin_initcore\entries\meta-data.php:31
actionadd_meta_boxescore\entries\meta-data.php:49
actionadd_meta_boxescore\entries\meta-data.php:54
actionmetform/after_loadcore\forms\auto-increment-entry.php:18
actionadmin_footercore\forms\base.php:26
actionadmin_enqueue_scriptscore\forms\base.php:27
filterthe_contentcore\forms\hooks.php:9
actionadmin_initcore\forms\hooks.php:10
filtermanage_metform-form_posts_columnscore\forms\hooks.php:11
actionmanage_metform-form_posts_custom_columncore\forms\hooks.php:12
actionmetform_settings_tabcore\integrations\crm\hubspot\loader.php:48
actionmetform_settings_contentcore\integrations\crm\hubspot\loader.php:50
actionmetform_after_store_form_datacore\integrations\crm\hubspot\loader.php:56
actionadmin_enqueue_scriptscore\integrations\onboard\attr.php:28
actionmetform/admin/after_savecore\integrations\onboard\onboard.php:54
actionplugins_loadedmetform.php:36
actionplugins_loadedmetform.php:44
actionwp_headplugin.php:21
actioninitplugin.php:22
actionmetform/pro_awareness/before_grid_contentsplugin.php:23
actionadmin_headplugin.php:25
filteradmin_body_classplugin.php:28
actioninitplugin.php:130
filterdoing_it_wrong_trigger_errorplugin.php:136
actionadmin_menuplugin.php:348
actionelementor/editor/before_enqueue_scriptsplugin.php:351
actionelementor/editor/after_enqueue_scriptsplugin.php:352
actioninitplugin.php:354
actionadmin_enqueue_scriptsplugin.php:356
actionwp_enqueue_scriptsplugin.php:357
actionadmin_enqueue_scriptsplugin.php:361
actionelementor/frontend/before_enqueue_scriptsplugin.php:364
actionelementor/editor/before_enqueue_stylesplugin.php:366
actionadmin_footerplugin.php:368
actionadmin_noticesplugin.php:704
actionadmin_headutils\apps\apps.php:63
actionadmin_menuutils\apps\apps.php:229
actionadmin_headutils\banner\banner.php:34
actionadmin_headutils\emailkit\emailkit.php:50
actionadmin_noticesutils\notice\notice.php:276
actionadmin_headutils\notice\notice.php:370
filterplugin_row_metautils\pro-awareness\pro-awareness.php:532
actionadmin_headutils\pro-awareness\pro-awareness.php:541
actionadmin_menuutils\pro-awareness\pro-awareness.php:545
actionadmin_headutils\rating\rating.php:165
actionadmin_footerutils\rating\rating.php:187
actionwp_dashboard_setuputils\stories\stories.php:52
actionadmin_noticesutils\util.php:689
actionelementor/elements/categories_registeredwidgets\manifest.php:10
filterelementor/editor/localize_settingswidgets\manifest.php:11
actionelementor/widgets/registerwidgets\manifest.php:12
filterscript_loader_tagwidgets\recaptcha\recaptcha.php:168
Maintenance & Trust

MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 3, 2026
PHP min version7.4
Downloads8.4M

Community Trust

Rating94/100
Number of ratings489
Active installs600K
Alternatives

MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor Alternatives

RTMForm Builder

RTMForm Builder

romethemeform

A
99

RTMForm For Elementor Plugin is an Form Builder for Elementor, and Widget Ready to use.

30K 2 CVEs
Easy Custom Forms

Easy Custom Forms

easy-custom-forms

A
92

Create custom forms easily with a user-friendly interface and powerful features.

0 No CVEs
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

A
90

The best WordPress contact form plugin. Drag & Drop form builder to create beautiful contact forms, payment forms, & other custom forms.

6.0M 13 CVEs
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

fluentform

B
82

Get a fast contact form plugin. Create advanced forms using drag and drop form builder with all smart features.

600K 27 CVEs
SureForms – Contact Form, Payment Form & Other Custom Form Builder

SureForms – Contact Form, Payment Form & Other Custom Form Builder

sureforms

A
88

The most beginner-friendly, AI Form Builder for WordPress to create contact forms, payment forms & other custom forms with advanced features, with &hellip;

400K 15 CVEs
Developer Profile

MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor Developer Profile

Roxnor

15 plugins · 3.0M total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
118 days
View full developer profile
Detection Fingerprints

How We Detect MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/metform/assets/css/metform-ui.css/wp-content/plugins/metform/assets/css/metform-style.css/wp-content/plugins/metform/assets/js/htm.js/wp-content/plugins/metform/assets/js/metform-app.js
Script Paths
/wp-content/plugins/metform/assets/js/htm.js/wp-content/plugins/metform/assets/js/metform-app.js
Version Parameters
metform/assets/css/metform-ui.css?ver=metform/assets/css/metform-style.css?ver=metform/assets/js/htm.js?ver=metform/assets/js/metform-app.js?ver=

HTML / DOM Fingerprints

CSS Classes
mf-form-shortcode
HTML Comments
check transient id and session hashed token
Shortcode Output
<div class="mf-form-shortcode">mf-listing-fnamemf-listing-lname
FAQ

Frequently Asked Questions about MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor