Does Contact Form Widget have any unpatched vulnerabilities?

Yes — Contact Form Widget currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Contact Form Widget compatible with WordPress 6.9.4?

According to WordPress.org data, Contact Form Widget 1.5.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Contact Form Widget updated?

Contact Form Widget was last updated on Dec 15, 2025. Frequent updates are generally a positive security signal.

What is Contact Form Widget's security score?

Contact Form Widget has a WP-Safety security score of 67/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Contact Form Widget Security & Risk Analysis

wordpress.org/plugins/new-contact-form-widget

Create contact forms with query table management. Simple setup, secure submissions, and easy customization for your site.

1K active installs v1.5.1 PHP + WP 4.0+ Updated Dec 15, 2025

contact-formcontact-widgetemail-formform-builderquery-form

C · Use Caution

CVEs total5

Unpatched1

Last CVEDec 31, 2025

Plugin page Download

Safety Verdict

Is Contact Form Widget Safe to Use in 2026?

Use With Caution

Score 67/100

Contact Form Widget has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

5 known CVEs 1 unpatched Last CVE: Dec 31, 2025Updated 3mo ago

Risk Assessment

The "new-contact-form-widget" plugin version 1.5.1 exhibits a mixed security posture. While the static analysis shows a generally good foundation with a low number of entry points and no immediately apparent critical vulnerabilities in taint flows, the vulnerability history is a significant concern. The plugin has a history of 5 known CVEs, with one still unpatched, which is a serious red flag. The types of past vulnerabilities (CSRF, Information Exposure, SQL Injection) suggest recurring issues in input validation and state management, even if not directly evident in the current static scan. The 63% usage of prepared statements for SQL queries is a positive step, but the remaining 37% and the 18% of unescaped outputs present potential attack vectors. The presence of file operations without explicit detail on their context also warrants caution. Overall, the plugin has made improvements, but the historical vulnerability record and the remaining code quality issues prevent it from being considered highly secure.

Key Concerns

Unpatched high severity CVE
Medium severity CVEs (4)
SQL queries not using prepared statements (37%)
Output escaping not properly implemented (17%)
Potential for sensitive information exposure (history)
Potential for SQL injection (history)
Potential for Cross-Site Request Forgery (history)

Vulnerabilities

Contact Form Widget Security Vulnerabilities

CVEs by Year

1 CVE in 2019

2019

2 CVEs in 2024

2024

2 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

High

Medium

5 total CVEs

CVE-2025-62134medium · 4.3Cross-Site Request Forgery (CSRF)

Contact Form Widget <= 1.5.1 - Cross-Site Request Forgery

Dec 31, 2025Unpatched

CVE-2025-47491medium · 4.3Cross-Site Request Forgery (CSRF)

Contact Form Widget <= 1.4.6 - Cross-Site Request Forgery

May 7, 2025 Patched in 1.4.7 (6d)

CVE-2024-48037medium · 4.3Cross-Site Request Forgery (CSRF)

Contact Form Widget <= 1.4.2 - Cross-Site Request Forgery

Oct 9, 2024 Patched in 1.4.3 (8d)

CVE-2024-34754medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Contact Form Widget <= 1.3.9 - Sensitive Information Exposure

May 14, 2024 Patched in 1.4.0 (7d)

CVE-2019-17072high · 8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Contact Form Widget – Contact Query, Contact Page, Form Maker, Query Table <= 1.3.8 - Authenticated (Admin+) SQL Injection

Oct 10, 2019 Patched in 1.3.9 (1766d)

Code Analysis

Analyzed Mar 16, 2026

Contact Form Widget Code Analysis

Dangerous Functions

Raw SQL Queries

5 prepared

Unescaped Output

154 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

63% prepared8 total queries

Output Escaping

83% escaped186 total outputs

Data Flows

All sanitized

Data Flow Analysis

1 flows

<all-query-page> (all-query-page.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Contact Form Widget Attack Surface

Entry Points3

Unprotected0

AJAX Handlers 2

authwp_ajax_submit_user_querynew-contact-form-widget.php:50

noprivwp_ajax_submit_user_querynew-contact-form-widget.php:51

Shortcodes 1

[CFW] shortcode.php:246

WordPress Hooks 3

actionadmin_menucfw-menu-pages.php:4

actionplugins_loadednew-contact-form-widget.php:41

actionwidgets_initnew-contact-form-widget.php:105

Maintenance & Trust

Contact Form Widget Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 15, 2025

PHP min version

Downloads119K

Community Trust

Rating100/100

Number of ratings11

Active installs1K

Alternatives

Contact Form Widget Alternatives

WPZOOM Forms – Drag & Drop Contact Form Builder for WordPress

wpzoom-forms

100

Drag & drop contact form builder for WordPress. Create contact forms, custom forms, email forms with spam protection. Works with Elementor, shortcodes

10K No CVEs

Quick Contact Form

quick-contact-form

An easy to set up, plug and play contact form with a huge range of options and styles. A beginner friendly WordPress contact form plugin.

1K 7 CVEs

Weavely – Build Forms in Figma

weavely

Turn Figma designs into custom forms, effortlessly embed in WordPress. Elevate user experience with unique designs.

10 No CVEs

Oumma Contact – Drag & Drop Contact Form Builder

oumma-contact

100

Lightweight contact form plugin with drag & drop form builder. Anti-spam, beautiful design, 30+ field types, 11 languages. Fast & easy.

0 No CVEs

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

The best WordPress contact form plugin. Drag & Drop form builder to create beautiful contact forms, payment forms, & other custom forms.

6.0M 13 CVEs

Developer Profile

Contact Form Widget Developer Profile

A WP Life

61 plugins · 64K total installs

trust score

Avg Security Score

97/100

Avg Patch Time

267 days

View full developer profile

Detection Fingerprints

How We Detect Contact Form Widget

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/new-contact-form-widget/css/cfw-bootstrap.css/wp-content/plugins/new-contact-form-widget/css/font-awesome.min.css/wp-content/plugins/new-contact-form-widget/js/bootstrap.js/wp-content/plugins/new-contact-form-widget/js/cfw-ajax.js

Script Paths

/wp-content/plugins/new-contact-form-widget/js/bootstrap.js/wp-content/plugins/new-contact-form-widget/js/cfw-ajax.js

Version Parameters

new-contact-form-widget/css/cfw-bootstrap.css?ver=new-contact-form-widget/css/font-awesome.min.css?ver=new-contact-form-widget/js/bootstrap.js?ver=3.3.6new-contact-form-widget/js/cfw-ajax.js?ver=

HTML / DOM Fingerprints

CSS Classes

contact_form

Data Attributes

data-nonce

JS Globals

cfw_ajax

FAQ