Notification Attachments for Gravity Forms Security & Risk Analysis
wordpress.org/plugins/notification-attachments-for-gravity-formsSend attachment in Gravity Forms Notification
Is Notification Attachments for Gravity Forms Safe to Use in 2026?
Generally Safe
Score 100/100Notification Attachments for Gravity Forms has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The plugin 'notification-attachments-for-gravity-forms' version 0.6.3 exhibits a generally positive security posture based on the provided static analysis and vulnerability history. The absence of known CVEs and a clean taint analysis indicate a lack of publicly disclosed or easily discoverable critical vulnerabilities. Furthermore, the code analysis reveals no dangerous functions, no raw SQL queries (all use prepared statements), no file operations, and no external HTTP requests, all of which are strong security indicators. The high percentage of properly escaped output is also commendable, minimizing the risk of cross-site scripting vulnerabilities.
However, a significant concern arises from the complete lack of capability checks and nonce checks. While the static analysis reports zero entry points, this does not guarantee future security if new entry points are introduced or if existing ones are not properly secured. The absence of capability checks means that even if an entry point exists, it might be accessible to users without appropriate permissions, potentially leading to privilege escalation or unauthorized actions. The lack of nonce checks on any potential AJAX handlers (even if currently zero) is a critical oversight, as it leaves any future or undiscovered handlers vulnerable to Cross-Site Request Forgery (CSRF) attacks. The vulnerability history, while clean, also indicates a limited scope of past analysis or a lack of historical reporting, which can sometimes mask emerging issues.
In conclusion, the plugin demonstrates good coding practices in several key areas, particularly regarding data handling and avoiding dangerous functions. The absence of historical vulnerabilities is a positive sign. Nevertheless, the complete reliance on the static analysis reporting zero unprotected entry points as the sole security measure, combined with the absence of critical security controls like capability and nonce checks, represents a notable weakness. This leaves the plugin vulnerable to attacks if its attack surface expands or if existing entry points are misconfigured in the future. A more robust security approach would incorporate these fundamental checks regardless of the current reported entry points.
Key Concerns
- No capability checks
- No nonce checks
Notification Attachments for Gravity Forms Security Vulnerabilities
Notification Attachments for Gravity Forms Code Analysis
Output Escaping
Notification Attachments for Gravity Forms Attack Surface
WordPress Hooks 8
Maintenance & Trust
Notification Attachments for Gravity Forms Maintenance & Trust
Maintenance Signals
Community Trust
Notification Attachments for Gravity Forms Alternatives
No alternatives data available yet.
Notification Attachments for Gravity Forms Developer Profile
7 plugins · 15K total installs
How We Detect Notification Attachments for Gravity Forms
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/notification-attachments-for-gravity-forms/assets/script.jsnotification-attachments-for-gravity-forms/assets/script.js?ver=HTML / DOM Fingerprints
gf-kgm-remove-attachment<!-- Code for form inside Gravity Forms Notification setting (edited for Gravity Forms 2.5 -> https://docs.gravityforms.com/gform_notification_settings_fields/) --><!-- Security check: verify user has permission to edit Gravity Forms notifications --><!-- Security check: verify we're in admin context --><!-- Note: Nonce verification is handled by Gravity Forms since this is integrated in their form -->+6 moredata-idgf_kgm_notification_attachment