WP-Safety

Piotnet Forms Security & Risk Analysis

wordpress.org/plugins/piotnetforms

Piotnet Forms - Highly Customizable WordPress Form Builder

2K active installs v1.0.30 PHP 5.4+ WP 4.7+ Updated Feb 22, 2024
form-builderpiotnetpiotnet-forms
16
F · Critical Risk
CVEs total7
Unpatched4
Last CVESep 22, 2025
Plugin page Download
Safety Verdict

Is Piotnet Forms Safe to Use in 2026?

Critical Risk — Avoid

Score 16/100

Piotnet Forms is critically unsafe with 7 known CVEs, 4 still unpatched. Avoid in production.

7 known CVEs 4 unpatched Last CVE: Sep 22, 2025Updated 2yr ago
Risk Assessment

The piotnetforms plugin v1.0.30 exhibits a concerning security posture, despite some positive indications. While it employs prepared statements for SQL queries and includes a reasonable number of nonce and capability checks, these are overshadowed by significant weaknesses. The presence of two AJAX handlers without authentication checks and four flows with unsanitized paths represent critical entry points for potential attacks. Furthermore, the plugin has a substantial history of known vulnerabilities, with four currently unpatched and a concerning mix of critical, high, and medium severity issues, including Cross-Site Request Forgery, Path Traversal, Cross-Site Scripting, Unrestricted File Upload, and Missing Authorization. This history suggests a recurring pattern of insecure coding practices that have not been adequately addressed, even in the most recent vulnerability reported.

Despite efforts in areas like SQL sanitization, the fundamental lack of proper authorization on entry points and the prevalence of past security flaws paint a picture of a plugin that requires immediate attention. The high number of known vulnerabilities, particularly critical and high severity ones, coupled with the identified insecure code patterns, indicates a high risk of exploitation. Users of this plugin should be aware that it may be actively vulnerable to a range of attacks, and remediation efforts are strongly advised.

Key Concerns

  • Unprotected AJAX handlers
  • Unsanitized paths in taint flows
  • Unpatched critical CVE
  • Unpatched high CVE
  • Multiple unpatched medium CVEs
  • Low output escaping percentage
  • Multiple known CVEs indicate recurring issues
Vulnerabilities
7 published

Piotnet Forms Security Vulnerabilities

CVEs by Year

3 CVEs in 2023
2023
4 CVEs in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Critical
1
High
1
Medium
4
Low
1

7 total CVEs

CVE-2025-57933medium · 4.3Cross-Site Request Forgery (CSRF)

Piotnet Forms <= 1.0.30 - Cross-Site Request Forgery

Sep 22, 2025Unpatched
CVE-2025-32205low · 3.8Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Piotnet Forms <= 1.0.30 - Authenticated (Editor+) Path Traversal

Apr 7, 2025Unpatched
CVE-2025-31793medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Piotnet Forms <= 1.0.30 - Authenticated (Editor+) Stored Cross-Site Scripting

Apr 1, 2025Unpatched
CVE-2025-31792medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Piotnet Forms <= 1.0.30 - Authenticated (Author+) Stored Cross-Site Scripting

Apr 1, 2025Unpatched
CVE-2023-51412critical · 9.8Unrestricted Upload of File with Dangerous Type

Piotnet Forms Plugin <= 1.0.28 - Unauthenticated Arbitrary File Upload

Dec 27, 2023 Patched in 1.0.29 (59d)
CVE-2023-51413medium · 6.5Missing Authorization

Piotnet Forms <= 1.0.25 - Missing Authorization via multiple AJAX actions

Dec 27, 2023 Patched in 1.0.30 (59d)
CVE-2023-6220high · 8.1Unrestricted Upload of File with Dangerous Type

Piotnet Forms <= 1.0.28 - Unauthenticated Arbitrary File Upload

Dec 4, 2023 Patched in 1.0.29 (82d)
Version History

Piotnet Forms Release Timeline

v1.0.295 CVEs
CVE-2025-31793 CVE-2025-57933 CVE-2025-31792 +2 more
v1.0.287 CVEs
CVE-2023-51412 CVE-2023-6220 CVE-2025-31793 +4 more
v1.0.277 CVEs
CVE-2023-51412 CVE-2023-6220 CVE-2025-31793 +4 more
v1.0.267 CVEs
CVE-2023-51412 CVE-2023-6220 CVE-2025-31793 +4 more
v1.0.257 CVEs
CVE-2023-51412 CVE-2023-6220 CVE-2025-31793 +4 more
v1.0.247 CVEs
CVE-2023-51412 CVE-2023-6220 CVE-2025-31793 +4 more
v1.0.237 CVEs
CVE-2023-51412 CVE-2023-6220 CVE-2025-31793 +4 more
v1.0.227 CVEs
CVE-2023-51412 CVE-2023-6220 CVE-2025-31793 +4 more
v1.0.217 CVEs
CVE-2023-51412 CVE-2023-6220 CVE-2025-31793 +4 more
v1.0.207 CVEs
CVE-2023-51412 CVE-2023-6220 CVE-2025-31793 +4 more
v1.0.197 CVEs
CVE-2023-51412 CVE-2023-6220 CVE-2025-31793 +4 more
v1.0.187 CVEs
CVE-2023-51412 CVE-2023-6220 CVE-2025-31793 +4 more
v1.0.177 CVEs
CVE-2023-51412 CVE-2023-6220 CVE-2025-31793 +4 more
v1.0.167 CVEs
CVE-2023-51412 CVE-2023-6220 CVE-2025-31793 +4 more
v1.0.157 CVEs
CVE-2023-51412 CVE-2023-6220 CVE-2025-31793 +4 more
v1.0.147 CVEs
CVE-2023-51412 CVE-2023-6220 CVE-2025-31793 +4 more
v1.0.137 CVEs
CVE-2023-51412 CVE-2023-6220 CVE-2025-31793 +4 more
v1.0.127 CVEs
CVE-2023-51412 CVE-2023-6220 CVE-2025-31793 +4 more
v1.0.117 CVEs
CVE-2023-51412 CVE-2023-6220 CVE-2025-31793 +4 more
v1.0.107 CVEs
CVE-2023-51412 CVE-2023-6220 CVE-2025-31793 +4 more
Code Analysis
Analyzed Mar 16, 2026

Piotnet Forms Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
82
99 escaped
Nonce Checks
6
Capability Checks
11
File Operations
17
External Requests
1
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

100% prepared2 total queries

Output Escaping

55% escaped181 total outputs
Data Flows · Security
4 unsanitized

Data Flow Analysis

11 flows4 with unsanitized paths
piotnetforms_duplicate (inc\ajax\duplicate.php:12)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Piotnet Forms Attack Surface

Entry Points15
Unprotected2

AJAX Handlers 14

authwp_ajax_piotnetforms_duplicateinc\ajax\duplicate.php:9
noprivwp_ajax_piotnetforms_duplicateinc\ajax\duplicate.php:10
authwp_ajax_piotnetforms_exportinc\ajax\export.php:7
noprivwp_ajax_piotnetforms_exportinc\ajax\export.php:8
authwp_ajax_piotnetforms_get_json_fileinc\ajax\get-json-file.php:5
noprivwp_ajax_piotnetforms_get_json_fileinc\ajax\get-json-file.php:6
authwp_ajax_piotnetforms_widget_previewinc\ajax\preview.php:9
noprivwp_ajax_piotnetforms_widget_previewinc\ajax\preview.php:10
authwp_ajax_piotnetforms_save_draftinc\ajax\save-draft.php:4
noprivwp_ajax_piotnetforms_save_draftinc\ajax\save-draft.php:5
authwp_ajax_piotnetforms_saveinc\ajax\save.php:3
noprivwp_ajax_piotnetforms_saveinc\ajax\save.php:4
authwp_ajax_piotnetforms_ajax_form_builderinc\forms\ajax-form-builder.php:4
noprivwp_ajax_piotnetforms_ajax_form_builderinc\forms\ajax-form-builder.php:5

Shortcodes 1

[piotnetforms] inc\shortcode\shortcode-widget.php:36
WordPress Hooks 23
actionadd_meta_boxesinc\forms\meta-box-piotnetforms-shortcode-in-post.php:5
actionsave_postinc\forms\meta-box-piotnetforms-shortcode-in-post.php:29
filterwpml_piotnetforms_widgets_to_translateinc\widgets\submit.php:1267
actionplugins_loadedpiotnetforms.php:25
actioninitpiotnetforms.php:32
filtersingle_templatepiotnetforms.php:34
actionwp_enqueue_scriptspiotnetforms.php:56
actionadmin_enqueue_scriptspiotnetforms.php:58
actionadmin_enqueue_scriptspiotnetforms.php:60
actionadmin_footerpiotnetforms.php:62
actionwp_enqueue_scriptspiotnetforms.php:64
actionadmin_menupiotnetforms.php:66
filterthe_contentpiotnetforms.php:68
filterscript_loader_tagpiotnetforms.php:73
actionwp_footerpiotnetforms.php:75
actionwp_headpiotnetforms.php:77
filterplugin_row_metapiotnetforms.php:106
actionadmin_initpiotnetforms.php:109
filterpost_row_actionspiotnetforms.php:111
filterpage_row_actionspiotnetforms.php:113
filterbody_classpiotnetforms.php:115
filteracf/settings/remove_wp_meta_boxpiotnetforms.php:122
actionadmin_initpiotnetforms.php:437
Maintenance & Trust

Piotnet Forms Maintenance & Trust

Maintenance Signals

WordPress version tested6.5.8
Last updatedFeb 22, 2024
PHP min version5.4
Downloads49K

Community Trust

Rating80/100
Number of ratings19
Active installs2K
Alternatives

Piotnet Forms Alternatives

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

A
88

The best WordPress contact form plugin. Drag & Drop form builder to create beautiful contact forms, payment forms, & other custom forms.

6.0M 16 CVEs
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

fluentform

B
82

Get a fast contact form plugin. Create advanced forms using drag and drop form builder with all smart features.

700K 33 CVEs
MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

metform

A
87

The most popular Elementor forms builder to create WordPress forms like contact forms, booking forms, feedback form, survey forms, application forms a &hellip;

600K 26 CVEs
Ninja Forms – The Contact Form Builder That Grows With You

Ninja Forms – The Contact Form Builder That Grows With You

ninja-forms

B
76

The 100% beginner friendly WordPress form builder. Drag & drop form fields to build beautiful, professional contact forms in minutes.

600K 75 CVEs
SureForms – Contact Form, Payment Form & Other Custom Form Builder

SureForms – Contact Form, Payment Form & Other Custom Form Builder

sureforms

A
88

The most beginner-friendly AI Form Builder for WordPress. Create contact, payment, quiz & custom forms with advanced features in minutes.

500K 16 CVEs
Developer Profile

Piotnet Forms Developer Profile

piotnetdotcom

2 plugins · 32K total installs

40
trust score
Avg Security Score
32/100
Avg Patch Time
38 days
View full developer profile
Detection Fingerprints

How We Detect Piotnet Forms

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/piotnetforms/assets/css/frontend.css/wp-content/plugins/piotnetforms/assets/css/style.css/wp-content/plugins/piotnetforms/assets/js/frontend.js/wp-content/plugins/piotnetforms/assets/js/script.js/wp-content/plugins/piotnetforms/assets/js/custom.js/wp-content/plugins/piotnetforms/assets/js/custom.min.js/wp-content/plugins/piotnetforms/inc/forms/meta-box-piotnetforms-shortcode-in-post.php/wp-content/plugins/piotnetforms/inc/shortcode/shortcode-widget.php
Script Paths
/wp-content/plugins/piotnetforms/assets/js/frontend.js/wp-content/plugins/piotnetforms/assets/js/script.js/wp-content/plugins/piotnetforms/assets/js/custom.js/wp-content/plugins/piotnetforms/assets/js/custom.min.js
Version Parameters
piotnetforms/assets/css/frontend.css?ver=piotnetforms/assets/css/style.css?ver=piotnetforms/assets/js/frontend.js?ver=piotnetforms/assets/js/script.js?ver=piotnetforms/assets/js/custom.js?ver=piotnetforms/assets/js/custom.min.js?ver=piotnetforms-style-piotnetforms-scriptpiotnetforms-style

HTML / DOM Fingerprints

CSS Classes
piotnetforms-widget-previewpiotnet-forms-editor-wrapperpiotnet-forms-backend-wrapperpiotnet-forms-builderpiotnet-forms-preview-wrapperpiotnet-forms-content-wrapperpiotnet-forms-backend-elementor-previewpiotnet-forms-backend-elementor-wrapper+5 more
HTML Comments
<!-- piotnetforms-widget-preview --><!-- piotnetforms-editor-preview --><!-- piotnetforms -->
Data Attributes
data-piotnetforms-widget-previewdata-piotnet-sortabledata-piotnetforms-editor-previewdata-piotnetforms-template-containerdata-piotnet-forms-editordata-piotnet-forms-preview
JS Globals
piotnetforms_editor_optionspiotnetforms_editor_preview_datapiotnetforms_editor_preview_assetspiotnetforms_editor_preview_csspiotnetforms_datapiotnetforms_editor_options+12 more
REST Endpoints
/wp-json/piotnetforms/v1/settings/wp-json/piotnetforms/v1/get-forms/wp-json/piotnetforms/v1/preview
Shortcode Output
[piotnetforms][piotnetforms id=1][piotnetforms form_id=1][piotnetforms class='my-form']
FAQ

Frequently Asked Questions about Piotnet Forms