Does Pay with Contact Form 7 have any unpatched vulnerabilities?

Yes — Pay with Contact Form 7 currently has 3 unpatched vulnerabilities. We recommend switching to an alternative or applying any available workarounds.

Is Pay with Contact Form 7 compatible with WordPress 6.1.10?

According to WordPress.org data, Pay with Contact Form 7 1.0.4 has been tested up to WordPress 6.1.10. Check the plugin's changelog for the latest compatibility information.

How often is Pay with Contact Form 7 updated?

Pay with Contact Form 7 was last updated on Mar 24, 2023. Frequent updates are generally a positive security signal.

What is Pay with Contact Form 7's security score?

Pay with Contact Form 7 has a WP-Safety security score of 30/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Pay with Contact Form 7 Security & Risk Analysis

wordpress.org/plugins/pay-with-contact-form-7

This Add-on seamlessly integrates PayPal with Contact Form 7.

100 active installs v1.0.4 PHP + WP 4.7+ Updated Mar 24, 2023

cf7contact-formcontact-form-7formpaypal

D · High Risk

CVEs total3

Unpatched3

Last CVEJul 7, 2025

Download

Safety Verdict

Is Pay with Contact Form 7 Safe to Use in 2026?

High Risk

Score 30/100

Pay with Contact Form 7 carries significant security risk with 3 known CVEs, 3 still unpatched. Consider switching to a maintained alternative.

3 known CVEs 3 unpatched Last CVE: Jul 7, 2025Updated 3yr ago

Risk Assessment

The 'pay-with-contact-form-7' plugin, version 1.0.4, exhibits a mixed security posture. While the static analysis reveals a seemingly small attack surface with no exposed AJAX handlers, REST API routes, shortcodes, or cron events without proper checks, several concerning code signals are present. The significant number of dangerous functions, specifically 'unserialize', and a concerningly low percentage of SQL queries using prepared statements (13%) indicate potential vulnerabilities. Furthermore, less than half of the output data is properly escaped, increasing the risk of Cross-Site Scripting (XSS) attacks. The plugin's vulnerability history is a major concern, with three known medium-severity CVEs, all of which are currently unpatched. The common vulnerability types reported (XSS, CSRF, SQL Injection) align with the code signals suggesting improper input handling and SQL query construction. Despite the lack of critical taint flows detected in this static analysis, the established history of unpatched vulnerabilities and the identified code weaknesses paint a picture of a plugin that requires immediate attention and patching.

Key Concerns

Unpatched CVEs (3)
High percentage of SQL queries without prepared statements
Low percentage of properly escaped output
Dangerous function 'unserialize' used

Vulnerabilities

Pay with Contact Form 7 Security Vulnerabilities

CVEs by Year

3 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

3 total CVEs

CVE-2025-52777medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Pay with Contact Form 7 <= 1.0.4 - Reflected Cross-Site Scripting

Jul 7, 2025Unpatched

CVE-2025-24772medium · 4.3Cross-Site Request Forgery (CSRF)

Pay with Contact Form 7 <= 1.0.4 - Cross-Site Request Forgery

Jun 5, 2025Unpatched

CVE-2025-32126medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Pay with Contact Form 7 <= 1.0.4 - Authenticated (Administrator+) SQL Injection

Apr 4, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

Pay with Contact Form 7 Code Analysis

Dangerous Functions

Raw SQL Queries

3 prepared

Unescaped Output

40 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize<?php $form_data = unserialize( $results[0]->form_value );admin\partials\wpcmscf7-admin-form-details.php:59

unserialize$trans_data = unserialize( $results[0]->trans_value );admin\partials\wpcmscf7-admin-form-details.php:103

unserialize$first_row = isset($results[0]) ? unserialize( $results[0]->form_value ): 0 ;admin\partials\WPCMSCF7-List-Table.php:76

unserialize$form_value = unserialize( $result->form_value );admin\partials\WPCMSCF7-List-Table.php:179

unserialize$result_values = unserialize($result_value);admin\partials\WPCMSCF7-List-Table.php:287

unserialize$result_values = unserialize( $result_value );admin\partials\WPCMSCF7-List-Table.php:315

unserialize$result_values = unserialize( $result_value );admin\partials\WPCMSCF7-List-Table.php:331

SQL Query Safety

13% prepared24 total queries

Output Escaping

49% escaped81 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

form_details_page (admin\partials\wpcmscf7-admin-form-details.php:19)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Pay with Contact Form 7 Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 11

actionplugins_loadedincludes\class-wpcmscf7.php:127

actionadmin_enqueue_scriptsincludes\class-wpcmscf7.php:142

actionadmin_enqueue_scriptsincludes\class-wpcmscf7.php:143

actionadmin_initincludes\class-wpcmscf7.php:144

actionadmin_menuincludes\class-wpcmscf7.php:145

actionadmin_menuincludes\class-wpcmscf7.php:146

filterwpcf7_editor_panelsincludes\class-wpcmscf7.php:148

actionwpcf7_admin_after_additional_settingsincludes\class-wpcmscf7.php:149

actionwpcf7_save_contact_formincludes\class-wpcmscf7.php:150

actionwpcf7_before_send_mailincludes\class-wpcmscf7.php:151

actionwpcf7_mail_sentincludes\class-wpcmscf7.php:152

Maintenance & Trust

Pay with Contact Form 7 Maintenance & Trust

Maintenance Signals

WordPress version tested6.1.10

Last updatedMar 24, 2023

PHP min version

Downloads7K

Community Trust

Rating80/100

Number of ratings2

Active installs100

Alternatives

Pay with Contact Form 7 Alternatives

Redirection for Contact Form 7

wpcf7-redirect

Redirect to any page or URL, execute scripts after submission, save data to the database, and unlock additional submission actions for Contact Form 7.

200K 14 CVEs

Database Addon for Contact Form 7 – CFDB7

contact-form-cfdb7

Save and manage Contact Form 7 messages. Never lose important data. It is a lightweight contact form 7 database plugin.

600K 7 CVEs

Advanced Contact form 7 DB

advanced-cf7-db

Save all contact form 7 form submitted data to the database, View, Ordering, Change field labels and Import/Export data using CSV.

70K 6 CVEs

Connect Contact Form 7 and Mailchimp

contact-form-7-mailchimp-extension

Connect Contact Form 7 to Mailchimp. Automatically sync form submissions to your Mailchimp audiences with merge field mapping, double opt-in, and opt- …

50K 3 CVEs

Contact Form 7 Multi-Step Forms

contact-form-7-multi-step-module

Enables the Contact Form 7 plugin to create multi-page, multi-step forms.

50K 1 CVE

Developer Profile

Pay with Contact Form 7 Developer Profile

cmsMinds

1 plugin · 100 total installs

trust score

Avg Security Score

30/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Pay with Contact Form 7

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/pay-with-contact-form-7/css/wpcmscf7-admin.css/wp-content/plugins/pay-with-contact-form-7/js/wpcmscf7-admin.js

Version Parameters

/wpcmscf7-admin.css?ver=/wpcmscf7-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

wpcmscf7_additional_settings

Data Attributes

wpcmscf7_enablewpcmscf7_namewpcmscf7_pricewpcmscf7_idwpcmscf7_email

FAQ