Does MW WP Form have any unpatched vulnerabilities?

No. All known vulnerabilities in MW WP Form have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is MW WP Form compatible with WordPress 6.4.8?

According to WordPress.org data, MW WP Form 5.1.0 has been tested up to WordPress 6.4.8. Check the plugin's changelog for the latest compatibility information.

How often is MW WP Form updated?

MW WP Form was last updated on Mar 13, 2024. Frequent updates are generally a positive security signal.

What is MW WP Form's security score?

MW WP Form has a WP-Safety security score of 81/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

MW WP Form Security & Risk Analysis

wordpress.org/plugins/mw-wp-form

MW WP Form is shortcode base contact form plugin. This plugin have many features. For example you can use many validation rules, inquiry data saving, …

200K active installs v5.1.0 PHP + WP 6.0+ Updated Mar 13, 2024

confirmformmailpreviewshortcode

B · Generally Safe

CVEs total5

Unpatched0

Last CVEJan 31, 2024

Plugin page Download

Safety Verdict

Is MW WP Form Safe to Use in 2026?

Mostly Safe

Score 81/100

MW WP Form is generally safe to use though it hasn't been updated recently. 5 past CVEs were resolved. Keep it updated.

5 known CVEsLast CVE: Jan 31, 2024Updated 2yr ago

Risk Assessment

The static analysis of "mw-wp-form" v5.1.0 indicates a generally good security posture with several positive indicators. The plugin has no unprotected AJAX handlers or REST API routes, all SQL queries are prepared, and a high percentage of output is properly escaped. The presence of nonce and capability checks further reinforces good security practices. However, the code signals do show some areas for improvement, particularly concerning file operations, which should always be handled with extreme caution.

Despite the positive static analysis results for the current version, the plugin's vulnerability history is a significant concern. With 5 known CVEs, including one critical and one high severity vulnerability, this indicates a pattern of past security weaknesses. The common vulnerability types such as Cross-site Scripting, Path Traversal, Unrestricted Uploads, and Missing Authorization suggest that inputs have not always been properly sanitized or authorized, leading to potentially serious security flaws in previous versions. The fact that the last vulnerability was relatively recent (January 2024) is also noteworthy.

In conclusion, while "mw-wp-form" v5.1.0 demonstrates adherence to some core security best practices in its current code, its historical vulnerability record warrants a cautious approach. The absence of any unpatched vulnerabilities in the current version is a positive sign, but the recurring nature of certain vulnerability types in its history suggests that ongoing vigilance and thorough auditing are crucial to prevent future exploitations.

Key Concerns

Significant historical CVEs, including critical and high.
8 file operations present.
82% output escaping is good, but 18% is unescaped.

Vulnerabilities

MW WP Form Security Vulnerabilities

CVEs by Year

4 CVEs in 2023

2023

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

5 total CVEs

CVE-2024-24804medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MW WP Form <= 5.0.6 - Authenticated (Editor+) Stored Cross-Site Scripting

Jan 31, 2024 Patched in 5.1.0 (52d)

CVE-2023-6559high · 7.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

MW WP Form <= 5.0.3 - Improper Limitation of File Name to Unauthenticated Arbitrary File Deletion

Dec 15, 2023 Patched in 5.0.4 (228d)

CVE-2023-6316critical · 9.8Unrestricted Upload of File with Dangerous Type

MW WP Form <= 5.0.1 - Unauthenticated Arbitrary File Upload

Dec 4, 2023 Patched in 5.0.2 (50d)

CVE-2023-46206medium · 5.3Missing Authorization

MW WP Form <= 4.4.5 - Missing Authorization

Oct 19, 2023 Patched in 5.0.0 (96d)

CVE-2023-28409medium · 5.3Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

MW WP Form <= 4.4.2 - Directory Traversal via _file_upload

May 8, 2023 Patched in 4.4.3 (260d)

Code Analysis

Analyzed Mar 16, 2026

MW WP Form Code Analysis

Dangerous Functions

Raw SQL Queries

4 prepared

Unescaped Output

141

642 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared4 total queries

Output Escaping

82% escaped783 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

_save (classes\controllers\class.chart.php:102)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

MW WP Form Attack Surface

Entry Points3

Unprotected0

Shortcodes 3

[mwform_formkey] classes\controllers\class.main.php:182

[mwform] classes\services\class.exec-shortcode.php:42

[mwform_complete_message] classes\services\class.exec-shortcode.php:43

WordPress Hooks 50

filtermwform_form_fieldsclasses\abstract\class.form-field.php:79

filtermwform_tag_generator_groupclasses\abstract\class.form-field.php:80

actionmwform_tag_generator_dialogclasses\abstract\class.form-field.php:288

filtermwform_validation_rulesclasses\abstract\class.validation-rule.php:39

actionadmin_headclasses\controllers\class.admin-list.php:18

actionadmin_enqueue_scriptsclasses\controllers\class.admin-list.php:19

filtermanage_posts_columnsclasses\controllers\class.admin-list.php:26

actionmanage_posts_custom_columnclasses\controllers\class.admin-list.php:27

actionadd_meta_boxesclasses\controllers\class.admin.php:22

filterdefault_contentclasses\controllers\class.admin.php:23

actionmedia_buttonsclasses\controllers\class.admin.php:24

actionadmin_enqueue_scriptsclasses\controllers\class.admin.php:25

actionsave_postclasses\controllers\class.admin.php:26

actionadmin_enqueue_scriptsclasses\controllers\class.chart.php:39

actionpre_get_postsclasses\controllers\class.contact-data-list.php:37

actionadmin_enqueue_scriptsclasses\controllers\class.contact-data-list.php:38

actionadmin_print_stylesclasses\controllers\class.contact-data-list.php:39

actionin_admin_footerclasses\controllers\class.contact-data-list.php:40

filterwp_count_postsclasses\controllers\class.contact-data-list.php:41

actionadd_meta_boxesclasses\controllers\class.contact-data.php:53

actionadmin_enqueue_scriptsclasses\controllers\class.contact-data.php:54

actionadmin_print_stylesclasses\controllers\class.contact-data.php:55

actionedit_form_topclasses\controllers\class.contact-data.php:56

actionsave_postclasses\controllers\class.contact-data.php:57

filternocache_headersclasses\controllers\class.main.php:32

filternginxchampuru_caching_headersclasses\controllers\class.main.php:33

actionparse_requestclasses\controllers\class.main.php:35

actiontemplate_redirectclasses\controllers\class.main.php:36

actiontemplate_redirectclasses\controllers\class.main.php:37

actionmwform_after_exec_shortcodeclasses\deprecated.php:17

actionadmin_noticesclasses\functions.php:90

filterthe_contentclasses\functions.php:96

actionshutdownclasses\models\class.data.php:90

filterupload_mimesclasses\models\class.file.php:17

actionphpmailer_initclasses\models\class.mail.php:83

filterwp_mail_fromclasses\models\class.mail.php:84

filterwp_mail_from_nameclasses\models\class.mail.php:85

filtermwform_form_end_htmlclasses\services\class.exec-shortcode.php:45

actionwp_footerclasses\services\class.exec-shortcode.php:47

actionwp_footerclasses\services\class.exec-shortcode.php:78

actionwp_footerclasses\services\class.exec-shortcode.php:112

actionplugins_loadedmw-wp-form.php:34

actionplugins_loadedmw-wp-form.php:35

actionafter_setup_thememw-wp-form.php:68

actioninitmw-wp-form.php:69

actiontemplate_redirectmw-wp-form.php:70

actionadmin_enqueue_scriptsmw-wp-form.php:78

actionadmin_menumw-wp-form.php:79

actionadmin_menumw-wp-form.php:80

actioncurrent_screenmw-wp-form.php:81

Maintenance & Trust

MW WP Form Maintenance & Trust

Maintenance Signals

WordPress version tested6.4.8

Last updatedMar 13, 2024

PHP min version

Downloads1.8M

Community Trust

Rating86/100

Number of ratings22

Active installs200K

Alternatives

MW WP Form Alternatives

MW WP Form A8 Tracker

mw-wp-form-a8-tracker

MW WP Form a8 tracker is an extension plugin for MW WP FORM. This plugin can easily introduce A8.net tracking tags.

60 No CVEs

Email addon for CF7

cf7-email-add-on

Email addon for CF7 plugin provides the responsive Email templates to admin and users.

3K 1 CVE

Contact Form 7 Confirm Email Field

contact-form-7-confirm-email-feild

Add a confirm email field to Contact Form 7.

2K No CVEs

Flex Forms

flex-forms

100

A lightweight yet powerful form builder with database storage, email alerts, reCAPTCHA, SMTP configuration, and deep Flex Fields integration.

10 No CVEs

Formidable Email Shortcodes

formidable-email-shortcodes

Create shortcodes with unique identifiers to use in your Formidable Email Notification Settings. Change email addresses globally from one location.

10 No CVEs

Developer Profile

MW WP Form Developer Profile

Takashi Kitajima

11 plugins · 331K total installs

trust score

Avg Security Score

89/100

Avg Patch Time

122 days

View full developer profile

Detection Fingerprints

How We Detect MW WP Form

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/mw-wp-form/css/admin-common.css

HTML / DOM Fingerprints

CSS Classes

mwf_inputmwf_labelmwf_form_wrapmwf_submitmwf_select

HTML Comments

MW WP Formcontact_data_post_types

Data Attributes

data-mwf-form-id

JS Globals

MW_WP_Form_Validator

REST Endpoints

/wp-json/mw-wp-form/

Shortcode Output

[mwform

FAQ