WP-Safety

Contact Form & SMTP Plugin for WordPress by PirateForms Security & Risk Analysis

wordpress.org/plugins/pirate-forms

A simple and effective WordPress contact form & SMTP plugin. Compatible with best themes out there, is both a secure and responsive contact form p …

30K active installs v2.6.1 PHP 5.6+ WP 5.5+ Updated Jan 20, 2025
contact-formfeedback-formformssmtpsubscribe-form
87
A · Safe
CVEs total4
Unpatched0
Last CVEMar 3, 2025
Plugin page Download
Safety Verdict

Is Contact Form & SMTP Plugin for WordPress by PirateForms Safe to Use in 2026?

Generally Safe

Score 87/100

Contact Form & SMTP Plugin for WordPress by PirateForms has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Mar 3, 2025Updated 1yr ago
Risk Assessment

The pirate-forms plugin v2.6.1 exhibits a mixed security posture. While it demonstrates good practices like using prepared statements for all SQL queries and a high percentage of properly escaped output, significant concerns remain regarding its attack surface. The presence of two AJAX handlers without authentication checks creates a direct entry point for unauthenticated attackers to interact with the plugin's backend logic. This is particularly worrisome given the plugin's history of vulnerabilities, including critical and high severity Cross-site Scripting (XSS) and Code Injection flaws. Although no currently unpatched CVEs are listed, the recurring nature of these severe vulnerability types in the past suggests a pattern of insecure input handling that could be present in this version. The plugin's strengths lie in its secure data handling for SQL and output, but the unprotected AJAX endpoints coupled with past vulnerability trends elevate the risk profile.

Key Concerns

  • Unprotected AJAX handlers
  • History of High severity vulnerabilities
  • History of Medium severity vulnerabilities
  • Unsanitized input risk due to past XSS/Code Injection
Vulnerabilities
4

Contact Form & SMTP Plugin for WordPress by PirateForms Security Vulnerabilities

CVEs by Year

1 CVE in 2019
2019
3 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
2
Medium
2

4 total CVEs

CVE-2024-11272medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form & SMTP Plugin for WordPress by PirateForms <= 2.5.2 - Authenticated (Admin+) Stored Cross-Site Scripting

Mar 3, 2025 Patched in 2.6.0 (50d)
CVE-2024-11273medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form & SMTP Plugin for WordPress by PirateForms <= 2.5.2 - Authenticated (Admin+) Stored Cross-Site Scripting

Mar 3, 2025 Patched in 2.6.0 (50d)
CVE-2024-13453high · 7.3Improper Control of Generation of Code ('Code Injection')

Contact Form & SMTP Plugin for WordPress by PirateForms <= 2.6.0 - Unauthenticated Arbitrary Shortcode Execution

Jan 29, 2025 Patched in 2.6.1 (1d)
CVE-2019-25145high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form & SMTP Plugin by PirateForms <= 2.5.1 - Unauthenticated HTML injection

Jul 27, 2019 Patched in 2.5.2 (1641d)
Code Analysis
Analyzed Mar 16, 2026

Contact Form & SMTP Plugin for WordPress by PirateForms Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
25
226 escaped
Nonce Checks
7
Capability Checks
1
File Operations
2
External Requests
2
Bundled Libraries
0

Output Escaping

90% escaped251 total outputs
Data Flows
All sanitized

Data Flow Analysis

1 flows
<class-pirateforms-public> (public\class-pirateforms-public.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Contact Form & SMTP Plugin for WordPress by PirateForms Attack Surface

Entry Points5
Unprotected2

AJAX Handlers 4

authwp_ajax_pirateforms_migration_installincludes\class-pirateforms-farewell.php:59
authwp_ajax_pirateforms_migration_activateincludes\class-pirateforms-farewell.php:60
authwp_ajax_pirate_forms_saveincludes\class-pirateforms.php:174
authwp_ajax_pirate_forms_testincludes\class-pirateforms.php:175

Shortcodes 1

[pirate_forms] includes\class-pirateforms.php:216
WordPress Hooks 32
filterpirateformpro_get_form_attributesadmin\class-pirateforms-admin.php:1154
actionpirate_forms_after_processingadmin\class-pirateforms-admin.php:1155
filterpirate_forms_validate_requestadmin\class-pirateforms-admin.php:1156
actionadmin_headincludes\class-pirateforms-farewell.php:58
filterwpforms_upgrade_link_mediumincludes\class-pirateforms-farewell.php:61
actionenqueue_block_editor_assetsincludes\class-pirateforms.php:98
actioninitincludes\class-pirateforms.php:99
actionrest_api_initincludes\class-pirateforms.php:100
actionplugins_loadedincludes\class-pirateforms.php:139
actioninitincludes\class-pirateforms.php:150
filterpirate_forms_version_supportsincludes\class-pirateforms.php:151
actionthemeisle_log_eventincludes\class-pirateforms.php:154
actionadmin_enqueue_scriptsincludes\class-pirateforms.php:170
actionadmin_menuincludes\class-pirateforms.php:171
actionadmin_headincludes\class-pirateforms.php:172
actionadmin_noticesincludes\class-pirateforms.php:177
filterpirate_forms_support_custom_spamincludes\class-pirateforms.php:180
filtermanage_pf_contact_posts_columnsincludes\class-pirateforms.php:182
filtermanage_pf_contact_posts_custom_columnincludes\class-pirateforms.php:183
filterwp_privacy_personal_data_exportersincludes\class-pirateforms.php:184
filterwp_privacy_personal_data_erasersincludes\class-pirateforms.php:185
actionwp_enqueue_scriptsincludes\class-pirateforms.php:199
actiontemplate_redirectincludes\class-pirateforms.php:200
actionpirate_unittesting_template_redirectincludes\class-pirateforms.php:203
actionpirate_forms_send_emailincludes\class-pirateforms.php:204
filterwidget_textincludes\class-pirateforms.php:206
filterpirate_forms_public_controlsincludes\class-pirateforms.php:207
actionrest_api_initincludes\class-pirateforms.php:209
filterpirate_forms_friendly_nameincludes\class-pirateforms.php:214
actionwidgets_initincludes\class-pirateforms.php:225
actionphpmailer_initpublic\class-pirateforms-public.php:740
actionwp_mail_failedpublic\class-pirateforms-public.php:927
Maintenance & Trust

Contact Form & SMTP Plugin for WordPress by PirateForms Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedJan 20, 2025
PHP min version5.6
Downloads3.8M

Community Trust

Rating94/100
Number of ratings223
Active installs30K
Alternatives

Contact Form & SMTP Plugin for WordPress by PirateForms Alternatives

MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder

MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder

mailchimp-subscribe-sm

A
96

MailChimp Subscribe Form allows you to create Beautiful Professional looking Subscribe Forms, Popups, bars & full page optins easily in less than &hellip;

3K 5 CVEs
Simon's Simple Contact Form

Simon's Simple Contact Form

simons-simple-contact-form

A
100

A lightweight WordPress contact form plugin with 18 themes, SMTP support, Google reCAPTCHA or internal captcha, and instant theme switching.

0 No CVEs
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

A
90

The best WordPress contact form plugin. Drag & Drop form builder to create beautiful contact forms, payment forms, & other custom forms.

6.0M 13 CVEs
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

fluentform

B
82

Get a fast contact form plugin. Create advanced forms using drag and drop form builder with all smart features.

600K 27 CVEs
Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Forminator Forms – Contact Form, Payment Form & Custom Form Builder

forminator

B
76

Best WordPress form builder plugin. Create contact forms, payment forms & order forms with 1000+ integrations.

600K 36 CVEs
Developer Profile

Contact Form & SMTP Plugin for WordPress by PirateForms Developer Profile

Syed Balkhi

94 plugins · 23.5M total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
795 days
View full developer profile
Detection Fingerprints

How We Detect Contact Form & SMTP Plugin for WordPress by PirateForms

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/pirate-forms/admin/css/wp-admin.css/wp-content/plugins/pirate-forms/admin/js/scripts-admin.js/wp-content/plugins/pirate-forms/admin/css/farewell.css/wp-content/plugins/pirate-forms/admin/css/migration.css/wp-content/plugins/pirate-forms/admin/js/migration.js
Version Parameters
/wp-content/plugins/pirate-forms/admin/css/wp-admin.css?ver=/wp-content/plugins/pirate-forms/admin/js/scripts-admin.js?ver=/wp-content/plugins/pirate-forms/admin/css/farewell.css?ver=/wp-content/plugins/pirate-forms/admin/css/migration.css?ver=/wp-content/plugins/pirate-forms/admin/js/migration.js?ver=

HTML / DOM Fingerprints

CSS Classes
pirateforms-admin-wrappirateforms-admin-navpf-tooltippf-forms-titlepf-forms-listpf-forms-editpf-forms-deletepf-forms-duplicate+7 more
HTML Comments
<!-- Plugin Pirate Forms --><!-- Plugin URI: http://themeisle.com/plugins/pirate-forms/ --><!-- Description: Easily creates a nice looking, simple contact form on your WP site. --><!-- Author: WPForms -->+17 more
Data Attributes
data-pf-iddata-pf-slugdata-pf-redirectdata-pf-noncedata-pf-actiondata-pf-form-title+2 more
JS Globals
pirateforms_scripts_admincwp_top_ajaxload
REST Endpoints
/wp-json/pirateforms/v1/forms
FAQ

Frequently Asked Questions about Contact Form & SMTP Plugin for WordPress by PirateForms