Does Multi Step Form have any unpatched vulnerabilities?

No. All known vulnerabilities in Multi Step Form have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Multi Step Form compatible with WordPress 6.8.5?

According to WordPress.org data, Multi Step Form 1.7.27 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

How often is Multi Step Form updated?

Multi Step Form was last updated on Nov 24, 2025. Frequent updates are generally a positive security signal.

What is Multi Step Form's security score?

Multi Step Form has a WP-Safety security score of 94/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Multi Step Form Security & Risk Analysis

wordpress.org/plugins/multi-step-form

Guide your customers with the animated progress bar. Generate dynamic multi step forms. Divide longer forms into small steps for better usability.

10K active installs v1.7.27 PHP + WP 5.0+ Updated Nov 24, 2025

formsmultimulti-stepmulti-step-formstep

A · Safe

CVEs total9

Unpatched0

Last CVESep 5, 2025

Plugin page Download

Safety Verdict

Is Multi Step Form Safe to Use in 2026?

Generally Safe

Score 94/100

Multi Step Form has a strong security track record. Known vulnerabilities have been patched promptly.

9 known CVEsLast CVE: Sep 5, 2025Updated 4mo ago

Risk Assessment

The 'multi-step-form' plugin v1.7.27 presents a mixed security posture. On the positive side, the static analysis indicates a relatively small attack surface with no exposed REST API routes or shortcodes, and all identified AJAX handlers and cron events appear to have some level of authentication checks. The plugin also demonstrates good practices by exclusively using prepared statements for SQL queries and includes a decent number of nonce and capability checks.

However, significant concerns arise from the code signals and vulnerability history. A notable weakness is the low percentage (48%) of properly escaped output, suggesting a high risk of Cross-Site Scripting (XSS) vulnerabilities. The presence of unsanitized paths in taint analysis, even without critical or high severity findings, warrants attention as it can be an indicator of potential path traversal or file manipulation issues. The plugin's vulnerability history is particularly concerning, with a total of 9 known CVEs, including one high and eight medium severity vulnerabilities. The common types of past vulnerabilities (Unrestricted Upload, Missing Authorization, CSRF, XSS) directly align with the potential risks identified in the static analysis, indicating a recurring pattern of insecure coding practices.

In conclusion, while the plugin has some strengths in its handling of SQL and its limited entry points, the high rate of unescaped output and the extensive history of medium and high severity vulnerabilities, particularly those related to XSS and authorization, present a substantial security risk. The plugin's past indicates a tendency towards insecure implementations that require diligent patching and ongoing security monitoring.

Key Concerns

High rate of unescaped output
Taint analysis with unsanitized paths
Multiple past medium/high severity CVEs
Common vulnerability types indicate recurring risks

Vulnerabilities

Multi Step Form Security Vulnerabilities

CVEs by Year

2 CVEs in 2018

2018

1 CVE in 2022

2022

2 CVEs in 2023

2023

2 CVEs in 2024

2024

2 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

9 total CVEs

CVE-2025-9515high · 7.2Unrestricted Upload of File with Dangerous Type

Multi Step Form <= 1.7.25 - Authenticated (Admin+) Arbitrary File Upload

Sep 5, 2025 Patched in 1.7.26 (1d)

CVE-2024-12427medium · 5.3Missing Authorization

Multi Step Form <= 1.7.23 - Missing Authorization to Unauthenticated Limited File Upload

Jan 15, 2025 Patched in 1.7.24 (1d)

CVE-2024-50428medium · 5.3Missing Authorization

Multi Step Form <= 1.7.21 - Missing Authorization via fw_delete_files

Oct 24, 2024 Patched in 1.7.22 (7d)

CVE-2024-25905medium · 4.3Cross-Site Request Forgery (CSRF)

Multi Step Form <= 1.7.18 - Cross-Site Request Forgery

Feb 12, 2024 Patched in 1.7.19 (52d)

CVE-2023-50832medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Multi Step Form <= 1.7.16 - Authenticated (Administrator+) Stored Cross-Site Scripting

Dec 19, 2023 Patched in 1.7.17 (52d)

CVE-2023-47758medium · 4.3Cross-Site Request Forgery (CSRF)

Multi Step Form <= 1.7.12 - Cross-Site Request Forgery

Nov 13, 2023 Patched in 1.7.13 (71d)

CVE-2022-4196medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Multi Step Form <= 1.7.7 - Authenticated (Administrator+) Stored Cross-Site Scripting

Dec 17, 2022 Patched in 1.7.8 (402d)

CVE-2018-14846medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Multi Step Form <= 1.2.5 - Stored Cross-Site Scripting

Jul 27, 2018 Patched in 1.2.6 (2006d)

CVE-2018-14430medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Multi Step Form <= 1.2.5 - Reflected Cross-Site Scripting

Jul 20, 2018 Patched in 1.2.6 (2013d)

Code Analysis

Analyzed Mar 16, 2026

Multi Step Form Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

40 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

48% escaped83 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

4 flows3 with unsanitized paths

handle_json_upload (includes\admin\msf-admin.class.php:382)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Multi Step Form Attack Surface

Entry Points1

Unprotected0

AJAX Handlers 1

authwp_ajax_fw_wizard_saveincludes\admin\msf-admin.class.php:37

WordPress Hooks 13

actionenqueue_block_editor_assetsincludes\admin\blocks\msf-gutenberg.php:19

actionadmin_menuincludes\admin\msf-admin.class.php:34

actionadmin_initincludes\admin\msf-admin.class.php:35

actionwp_mail_failedincludes\admin\msf-admin.class.php:240

actionadmin_enqueue_scriptsincludes\msf-settings-api.class.php:26

actionadmin_initincludes\msf-settings.class.php:16

actionadmin_menuincludes\msf-settings.class.php:17

actionwp_enqueue_scriptsincludes\msf.class.php:103

actionmsf_cron_upload_cleanincludes\msf.class.php:106

actionadmin_enqueue_scriptsincludes\msf.class.php:118

actioninitincludes\msf.class.php:134

actionwpmu_new_blogmondula-form-wizard.php:68

filterwpmu_drop_tablesmondula-form-wizard.php:76

Scheduled Events 1

msf_cron_upload_clean

Maintenance & Trust

Multi Step Form Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedNov 24, 2025

PHP min version

Downloads380K

Community Trust

Rating86/100

Number of ratings36

Active installs10K

Alternatives

Multi Step Form Alternatives

Smart Grid-Layout Design for Contact Form 7

cf7-grid-layout

This plugins allow pure CSS responsive grid layouts for contact form 7. It enables rich interlinking of your CMS data via taxonomy/posts populated dr …

10K No CVEs

Multi Step for Contact Form 7

cf7-multi-step

Break your looooooong form into user-friendly steps

10K 1 CVE

NEX-Forms – Ultimate Forms Plugin for WordPress

nex-forms-express-wp-form-builder

Build beautiful responsive forms for WordPress. Contact forms, surveys, quizzes, booking forms, payments, popups & more with NEX-Forms...

7K 30 CVEs

NEX-Forms ADD ON – Form Themes

nex-forms-form-themes-add-on

100

Build beautiful responsive forms for WordPress. Contact forms, surveys, quizzes, booking forms, payments, popups & more with NEX-Forms...

1K No CVEs

NEX-Forms ADD ON – Zapier Integration

nex-forms-zapier-add-on

100

The NEX-Forms Zapier Integration Add-on enables you to seamlessly connect your form submissions to over 10,000 apps.

200 No CVEs

Developer Profile

Multi Step Form Developer Profile

mondula2016

2 plugins · 10K total installs

trust score

Avg Security Score

97/100

Avg Patch Time

512 days

View full developer profile

Detection Fingerprints

How We Detect Multi Step Form

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/multi-step-form/includes/admin/css/fw-wizard-admin.css/wp-content/plugins/multi-step-form/includes/admin/css/fw-wizard-edit.css/wp-content/plugins/multi-step-form/includes/admin/css/fw-wizard-list.css/wp-content/plugins/multi-step-form/includes/admin/css/fw-wizard-settings.css/wp-content/plugins/multi-step-form/includes/admin/js/fw-wizard-admin.js/wp-content/plugins/multi-step-form/includes/admin/js/fw-wizard-edit.js/wp-content/plugins/multi-step-form/includes/admin/js/fw-wizard-list.js/wp-content/plugins/multi-step-form/includes/admin/js/fw-wizard-settings.js+17 more

Script Paths

/wp-content/plugins/multi-step-form/includes/admin/js/fw-wizard-admin.js/wp-content/plugins/multi-step-form/includes/admin/js/fw-wizard-edit.js/wp-content/plugins/multi-step-form/includes/admin/js/fw-wizard-list.js/wp-content/plugins/multi-step-form/includes/admin/js/fw-wizard-settings.js

Version Parameters

multi-step-form/assets/css/multi-step-form.css?ver=multi-step-form/assets/js/multi-step-form.js?ver=multi-step-form/includes/admin/css/fw-wizard-admin.css?ver=multi-step-form/includes/admin/css/fw-wizard-edit.css?ver=multi-step-form/includes/admin/css/fw-wizard-list.css?ver=multi-step-form/includes/admin/css/fw-wizard-settings.css?ver=multi-step-form/includes/admin/js/fw-wizard-admin.js?ver=multi-step-form/includes/admin/js/fw-wizard-edit.js?ver=multi-step-form/includes/admin/js/fw-wizard-list.js?ver=multi-step-form/includes/admin/js/fw-wizard-settings.js?ver=multi-step-form/includes/lib/js/jquery.steps.min.js?ver=multi-step-form/includes/lib/js/jquery.validate.min.js?ver=multi-step-form/includes/lib/js/msf-wizard.js?ver=multi-step-form/includes/lib/js/msf-block.js?ver=multi-step-form/includes/lib/js/msf-blocks/radio/msf-block-radio.js?ver=multi-step-form/includes/lib/js/msf-blocks/email/msf-block-email.js?ver=multi-step-form/includes/lib/js/msf-blocks/getvariable/msf-block-get-variable.js?ver=multi-step-form/includes/lib/js/msf-blocks/numeric/msf-block-numeric.js?ver=multi-step-form/includes/lib/js/msf-blocks/file/msf-block-file.js?ver=multi-step-form/includes/lib/js/msf-blocks/date/msf-block-date.js?ver=multi-step-form/includes/lib/js/msf-blocks/paragraph/msf-block-paragraph.js?ver=multi-step-form/includes/lib/js/msf-blocks/media/msf-block-media.js?ver=multi-step-form/includes/lib/js/msf-blocks/select/msf-block-select.js?ver=multi-step-form/includes/lib/js/msf-blocks/text/msf-block-text.js?ver=multi-step-form/includes/lib/js/msf-blocks/textarea/msf-block-textarea.js?ver=

HTML / DOM Fingerprints

CSS Classes

msf-wizard-containermsf-step-titlemsf-step-headlinemsf-step-copymsf-section-titlemsf-element-labelmsf-radio-checkbox-labelmsf-wizard-edit-form+2 more

HTML Comments

+3 more

Data Attributes

data-step-iddata-section-iddata-block-iddata-form-id

JS Globals

Mondula_Form_Wizardfw_wizard_data

FAQ