WP-Safety

Novo Contact Form Security & Risk Analysis

wordpress.org/plugins/novo-contact-form

Modern contact form with a WPForms-style builder. Entries stay in wp-admin (no emails).

0 active installs v1.5.2 PHP 7.4+ WP 5.0+ Updated Feb 22, 2026
buttonchatcontactsupport
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Novo Contact Form Safe to Use in 2026?

Generally Safe

Score 100/100

Novo Contact Form has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago
Risk Assessment

The "novo-contact-form" plugin v1.5.2 exhibits a generally good security posture, with a significant number of entry points (6 total) being protected by authentication and permission checks. The plugin also demonstrates good practices regarding its database interactions, with 80% of SQL queries utilizing prepared statements, and a healthy number of nonce and capability checks present. There are no file operations or external HTTP requests, further reducing potential attack vectors.

However, the static analysis did reveal some areas for concern. Specifically, the taint analysis flagged 4 flows with unsanitized paths. While these were not categorized as critical or high severity, they represent a potential risk for injection vulnerabilities if user-supplied data is not properly validated or escaped before being used in sensitive operations. The output escaping rate of 64% also suggests that a substantial portion of output might not be properly sanitized, potentially leading to Cross-Site Scripting (XSS) vulnerabilities.

The plugin's vulnerability history is remarkably clean, with no recorded CVEs. This, combined with the strong implementation of security best practices like nonce and capability checks, suggests a well-maintained and secure codebase. The absence of past vulnerabilities is a positive indicator, but it's crucial not to become complacent, especially given the identified taint flows and the moderate output escaping rate.

Key Concerns

  • Unsanitized paths in taint flows
  • Moderate output escaping rate
Vulnerabilities
None known

Novo Contact Form Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Novo Contact Form Release Timeline

v1.5.2Current
Code Analysis
Analyzed Mar 17, 2026

Novo Contact Form Code Analysis

Dangerous Functions
0
Raw SQL Queries
4
16 prepared
Unescaped Output
148
258 escaped
Nonce Checks
16
Capability Checks
14
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

80% prepared20 total queries

Output Escaping

64% escaped406 total outputs
Data Flows · Security
4 unsanitized

Data Flow Analysis

4 flows4 with unsanitized paths
render_entries_page (admin\class-ncf-admin.php:297)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Novo Contact Form Attack Surface

Entry Points6
Unprotected0

AJAX Handlers 4

authwp_ajax_novocofo_submitnovo-contact-form\public\class-ncf-public.php:47
noprivwp_ajax_novocofo_submitnovo-contact-form\public\class-ncf-public.php:48
authwp_ajax_novocofo_submitpublic\class-ncf-public.php:47
noprivwp_ajax_novocofo_submitpublic\class-ncf-public.php:48

Shortcodes 2

[novoform] novo-contact-form\public\class-ncf-public.php:45
[novoform] public\class-ncf-public.php:45
WordPress Hooks 16
actionadmin_menuadmin\class-ncf-admin.php:10
actionadmin_enqueue_scriptsadmin\class-ncf-admin.php:11
actionadmin_post_novocofo_save_formadmin\class-ncf-admin.php:12
actionadmin_post_novocofo_delete_formadmin\class-ncf-admin.php:13
actionadmin_post_novocofo_delete_entryadmin\class-ncf-admin.php:14
actionadmin_post_novocofo_save_optionsadmin\class-ncf-admin.php:15
actionadmin_menunovo-contact-form\admin\class-ncf-admin.php:10
actionadmin_enqueue_scriptsnovo-contact-form\admin\class-ncf-admin.php:11
actionadmin_post_novocofo_save_formnovo-contact-form\admin\class-ncf-admin.php:12
actionadmin_post_novocofo_delete_formnovo-contact-form\admin\class-ncf-admin.php:13
actionadmin_post_novocofo_delete_entrynovo-contact-form\admin\class-ncf-admin.php:14
actionadmin_post_novocofo_save_optionsnovo-contact-form\admin\class-ncf-admin.php:15
actionplugins_loadednovo-contact-form\novo-contact-form.php:30
actionwp_enqueue_scriptsnovo-contact-form\public\class-ncf-public.php:46
actionplugins_loadednovo-contact-form.php:30
actionwp_enqueue_scriptspublic\class-ncf-public.php:46
Maintenance & Trust

Novo Contact Form Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 22, 2026
PHP min version7.4
Downloads140

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

Novo Contact Form Alternatives

Contact Chat Widget

Contact Chat Widget

contact-chat-widget

A
92

A customizable WhatsApp chat button for instant customer interaction.

0 No CVEs
Simple Chat App

Simple Chat App

simple-chat-app

A
100

Easily add a floating WhatsApp chat button to your WordPress site. Let your visitors contact you directly via WhatsApp with a single click.

0 No CVEs
Simple Contact Button

Simple Contact Button

simple-contact-button

A
92

Simple Contact Button: Add a customizable contact button to your website, allowing visitors to connect with you instantly and easily.

0 No CVEs
Buttonizer – Live Chat, AI Chatbot, Call, Chat, Contact Button

Buttonizer – Live Chat, AI Chatbot, Call, Chat, Contact Button

button-contact-vr

A
98

Powerful platform with Live Chat, AI Chatbots, and Real-Time Visitor Monitoring! Also, create Call, Email, SMS, & Contact buttons to increase conv …

60K 3 CVEs
Sticky Chat Widget – Floating Chat Icons, Contact Form, Call, Click to Chat, Email & Message Buttons

Sticky Chat Widget – Floating Chat Icons, Contact Form, Call, Click to Chat, Email & Message Buttons

sticky-chat-widget

A
100

Social chat buttons with WhatsApp, Messenger, WeChat, Telegram, Instagram, TikTok, Zalo & more — plus SMS, Call button, Contact form, and 20+ icons.

10K 1 CVE
Developer Profile

Novo Contact Form Developer Profile

Berkay Yavuz

2 plugins · 0 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Novo Contact Form

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/novo-contact-form/assets/css/admin.css/wp-content/plugins/novo-contact-form/assets/js/admin.js
Script Paths
/wp-content/plugins/novo-contact-form/assets/js/admin.js
Version Parameters
novo-contact-form/assets/css/admin.css?ver=novo-contact-form/assets/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
ncf-wrapncf-card
Data Attributes
data-field-iddata-form-id
JS Globals
NOVOCOFO_ADMIN
Shortcode Output
[novoform id="
FAQ

Frequently Asked Questions about Novo Contact Form