WP-Safety

Nelio Forms Security & Risk Analysis

wordpress.org/plugins/nelio-forms

An intuitive form builder based on open WordPress technologies

60 active installs v1.2.0 PHP 7.4+ WP 6.6+ Updated Dec 1, 2025
contact-formemailfeedbackform-blocksform-builder
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Nelio Forms Safe to Use in 2026?

Generally Safe

Score 100/100

Nelio Forms has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 4mo ago
Risk Assessment

The static analysis of Nelio Forms v1.2.0 indicates a generally strong security posture. The plugin has no critical or high severity taint flows, uses prepared statements for all SQL queries, and properly escapes a high percentage of its output. The absence of external HTTP requests and the handling of file operations are also positive signs. Furthermore, the plugin's vulnerability history is clean, with no recorded CVEs, suggesting a commitment to security and code quality by the developers.

However, there are areas for improvement. The presence of a shortcode without explicit authentication checks is a potential entry point that, while not currently flagged as problematic in taint analysis, could be a target if vulnerabilities are introduced in the future. The lack of nonce checks on the identified AJAX handlers, though there are none currently, implies a potential oversight that could be exploited if AJAX functionality is added or modified without proper security measures. The presence of capability checks, while good, could be more comprehensive if they are not consistently applied to all sensitive operations.

Overall, Nelio Forms v1.2.0 appears to be a well-developed plugin with a focus on secure coding practices. The lack of known vulnerabilities and the good results from static analysis are reassuring. The primary recommendation is to ensure that any future additions of AJAX handlers or shortcodes include robust authentication and authorization checks to maintain this strong security posture.

Key Concerns

  • Shortcode without auth check
  • No nonce checks on AJAX handlers (potential)
Vulnerabilities
None known

Nelio Forms Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Nelio Forms Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
3
21 escaped
Nonce Checks
0
Capability Checks
2
File Operations
1
External Requests
0
Bundled Libraries
0

Output Escaping

88% escaped24 total outputs
Attack Surface

Nelio Forms Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[nelio-form] includes\blocks\block-form.php:149
WordPress Hooks 78
filternelio_forms_parse_email-notification_actionincludes\actions\email-notification.php:32
actionnelio_forms_process_email-notification_actionincludes\actions\email-notification.php:68
filternelio_forms_email-notification_action_schemaincludes\actions\email-notification.php:81
actionnelio_forms_processincludes\actions\index.php:30
actioninitincludes\blocks\block-form.php:146
actioninitincludes\blocks\block-form.php:156
actionnelio_forms_after_form_fieldsincludes\blocks\block-form.php:178
actionblock_categories_allincludes\blocks\categories.php:21
actioninitincludes\blocks\fields.php:21
filternelio_forms_check_spamincludes\compat\akismet.php:67
filterwpseo_sitemap_exclude_post_typeincludes\compat\wordpress-seo.php:12
actionadd_meta_boxesincludes\compat\wordpress-seo.php:17
actionnelio_forms_after_form_fieldsincludes\css.php:85
actionnelio_forms_css_dark_colorsincludes\css.php:103
filternelio_forms_sanitize_checkbox-group_fieldincludes\fields\checkbox-group.php:25
filternelio_forms_validate_checkbox-group_fieldincludes\fields\checkbox-group.php:30
filternelio_forms_sanitize_checkbox_fieldincludes\fields\checkbox.php:12
filternelio_forms_validate_checkbox_fieldincludes\fields\checkbox.php:17
filternelio_forms_sanitize_date_fieldincludes\fields\date.php:12
filternelio_forms_validate_date_fieldincludes\fields\date.php:34
filternelio_forms_error_messagesincludes\fields\date.php:57
filternelio_forms_sanitize_datetime_fieldincludes\fields\datetime.php:12
filternelio_forms_validate_datetime_fieldincludes\fields\datetime.php:34
filternelio_forms_error_messagesincludes\fields\datetime.php:57
filternelio_forms_sanitize_email_fieldincludes\fields\email.php:9
filternelio_forms_validate_email_fieldincludes\fields\email.php:52
filternelio_forms_error_messagesincludes\fields\email.php:97
filternelio_forms_validate_fieldincludes\fields\index.php:33
filternelio_forms_error_messagesincludes\fields\index.php:56
filternelio_forms_sanitize_number-slider_fieldincludes\fields\number-slider.php:12
filternelio_forms_validate_number-slider_fieldincludes\fields\number-slider.php:17
filternelio_forms_sanitize_number_fieldincludes\fields\number.php:12
filternelio_forms_validate_number_fieldincludes\fields\number.php:17
filternelio_forms_sanitize_password_fieldincludes\fields\password.php:13
filternelio_forms_validate_password_fieldincludes\fields\password.php:43
filternelio_forms_error_messagesincludes\fields\password.php:78
filternelio_forms_sanitize_radio-group_fieldincludes\fields\radio-group.php:12
filternelio_forms_validate_radio-group_fieldincludes\fields\radio-group.php:29
filternelio_forms_error_messagesincludes\fields\radio-group.php:44
filternelio_forms_sanitize_select_fieldincludes\fields\select.php:9
filternelio_forms_validate_select_fieldincludes\fields\select.php:56
filternelio_forms_error_messagesincludes\fields\select.php:71
filternelio_forms_sanitize_tel_fieldincludes\fields\tel.php:9
filternelio_forms_validate_tel_fieldincludes\fields\tel.php:25
filternelio_forms_error_messagesincludes\fields\tel.php:50
filternelio_forms_sanitize_text_fieldincludes\fields\text.php:12
filternelio_forms_validate_text_fieldincludes\fields\text.php:73
filternelio_forms_error_messagesincludes\fields\text.php:140
filternelio_forms_sanitize_textarea_fieldincludes\fields\textarea.php:12
filternelio_forms_validate_textarea_fieldincludes\fields\textarea.php:28
filternelio_forms_error_messagesincludes\fields\textarea.php:53
filternelio_forms_sanitize_time_fieldincludes\fields\time.php:12
filternelio_forms_validate_time_fieldincludes\fields\time.php:34
filternelio_forms_error_messagesincludes\fields\time.php:57
filternelio_forms_sanitize_url_fieldincludes\fields\url.php:9
filternelio_forms_validate_url_fieldincludes\fields\url.php:38
filternelio_forms_error_messagesincludes\fields\url.php:73
actionwpmu_new_blogincludes\form-capabilities.php:11
actionenqueue_block_assetsincludes\form-editor.php:26
actionenqueue_block_assetsincludes\form-editor.php:40
filterwp_insert_post_dataincludes\form-editor.php:174
filterwp_kses_allowed_htmlincludes\form-editor.php:189
filternelio_popups_extended_post_typesincludes\form-editor.php:198
actioninitincludes\forms.php:64
actioninitincludes\forms.php:107
filterallowed_block_types_allincludes\forms.php:117
actionget_post_metadataincludes\forms.php:126
actionget_post_metadataincludes\forms.php:140
actionget_post_metadataincludes\forms.php:149
actionget_post_metadataincludes\forms.php:189
filterthe_titleincludes\forms.php:206
filterthe_contentincludes\forms.php:226
filterwp_robotsincludes\forms.php:236
actionadmin_menuincludes\menu.php:41
filterrest_page_queryincludes\rest.php:13
filterrest_post_queryincludes\rest.php:14
filterposts_whereincludes\rest.php:28
actionwpincludes\submission\listener.php:77
Maintenance & Trust

Nelio Forms Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 1, 2025
PHP min version7.4
Downloads4K

Community Trust

Rating100/100
Number of ratings2
Active installs60
Alternatives

Nelio Forms Alternatives

WPZOOM Forms – Drag & Drop Contact Form Builder for WordPress

WPZOOM Forms – Drag & Drop Contact Form Builder for WordPress

wpzoom-forms

A
100

Drag & drop contact form builder for WordPress. Create contact forms, custom forms, email forms with spam protection. Works with Elementor, shortcodes

10K No CVEs
Contact Form Widget

Contact Form Widget

new-contact-form-widget

C
67

Create contact forms with query table management. Simple setup, secure submissions, and easy customization for your site.

1K 1 unpatched
Quick Contact Form

Quick Contact Form

quick-contact-form

A
92

An easy to set up, plug and play contact form with a huge range of options and styles. A beginner friendly WordPress contact form plugin.

1K 7 CVEs
Contact Forms by Cimatti

Contact Forms by Cimatti

contact-forms

A
91

Create and publish forms in your WordPress website with drag and drop. Contact forms, landing page forms, invitations, and more.

700 11 CVEs
More Mails for CF7

More Mails for CF7

more-mails-for-cf7

A
100

Extends the ubiquitous Contact Form 7 plugin to allow three or more messages.

500 No CVEs
Developer Profile

Nelio Forms Developer Profile

Nelio Software

12 plugins · 11K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
957 days
View full developer profile
Detection Fingerprints

How We Detect Nelio Forms

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/nelio-forms/dist/opinionated-style.css/wp-content/plugins/nelio-forms/dist/form-style.css
Script Paths
/wp-content/plugins/nelio-forms/dist/form-view-script.js
Version Parameters
nelio-forms/dist/opinionated-style.css?ver=nelio-forms/dist/form-style.css?ver=nelio-forms/dist/form-view-script.js?ver=

HTML / DOM Fingerprints

CSS Classes
nelio-forms-formnelio-forms-fieldnelio-forms-field--hiddennelio-forms-field__labelnelio-forms-field__label--textnelio-forms-field__valuenelio-forms-field__value--textnelio-forms-error-noscript
HTML Comments
<!-- wp:nelio-forms/form {"ref":<!-- text -->
Data Attributes
data-formiddata-submit-processing-labeldata-hide-form
JS Globals
NelioFormsErrorMessages
Shortcode Output
[nelio-form id="<!-- wp:nelio-forms/form {"ref":<formmethod="post"
FAQ

Frequently Asked Questions about Nelio Forms