Does Quill Forms | Conversational Multi Step Forms, Surveys & quizzes have any unpatched vulnerabilities?

No. All known vulnerabilities in Quill Forms | Conversational Multi Step Forms, Surveys & quizzes have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Quill Forms | Conversational Multi Step Forms, Surveys & quizzes compatible with WordPress 6.9.4?

According to WordPress.org data, Quill Forms | Conversational Multi Step Forms, Surveys & quizzes 5.6.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Quill Forms | Conversational Multi Step Forms, Surveys & quizzes Security & Risk Analysis

wordpress.org/plugins/quillforms

Quill Forms - Conversational WordPress Form Builder

3K active installs v5.6.1 PHP 7.1+ WP 5.4+ Updated Feb 16, 2026

conversationalformsquillsurveytypeform

A · Safe

CVEs total3

Unpatched0

Last CVEJan 6, 2025

Plugin page Download

Safety Verdict

Is Quill Forms | Conversational Multi Step Forms, Surveys & quizzes Safe to Use in 2026?

Generally Safe

Score 98/100

Quill Forms | Conversational Multi Step Forms, Surveys & quizzes has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Jan 6, 2025Updated 1mo ago

Risk Assessment

The Quillforms plugin v5.6.1 exhibits a mixed security posture. While it demonstrates strong adherence to secure coding practices such as extensive output escaping (96%) and a high percentage of prepared statements for SQL queries (86%), significant concerns arise from its attack surface. A substantial number of AJAX handlers (14 out of 17) lack proper authorization checks, presenting a considerable risk of unauthorized actions if these endpoints are exploitable. The single identified taint flow with unsanitized paths, rated as high severity, further exacerbates this risk, suggesting a potential for code injection or other harmful operations.

Historically, the plugin has had three medium-severity vulnerabilities, with common types including Cross-site Scripting and Missing Authorization. Although there are currently no unpatched CVEs, the recurring pattern of missing authorization and XSS vulnerabilities in its history, coupled with the current findings of unprotected AJAX handlers and a high-severity taint flow, indicates a persistent challenge in fully securing all entry points. The plugin has strengths in its coding practices for SQL and output handling, but the high number of unprotected AJAX endpoints and the critical taint flow are significant weaknesses that require immediate attention.

Key Concerns

Unprotected AJAX handlers
High severity taint flow with unsanitized path
Medium severity vulnerabilities in history
Missing authorization vulnerabilities in history

Vulnerabilities

Quill Forms | Conversational Multi Step Forms, Surveys & quizzes Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

1 CVE in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

3 total CVEs

CVE-2024-11826medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress <= 3.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 6, 2025 Patched in 4.0.0 (1d)

CVE-2024-47393medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Quill Forms <= 3.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 30, 2024 Patched in 3.8.0 (11d)

CVE-2023-46610medium · 5.4Missing Authorization

Quill Forms <= 3.3.0 - Missing Authorization

Oct 24, 2023 Patched in 3.4.0 (91d)

Code Analysis

Analyzed Mar 16, 2026

Quill Forms | Conversational Multi Step Forms, Surveys & quizzes Code Analysis

Dangerous Functions

Raw SQL Queries

48 prepared

Unescaped Output

128 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

86% prepared56 total queries

Output Escaping

96% escaped134 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths

<class-form-submission> (includes\class-form-submission.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

14 unprotected

Quill Forms | Conversational Multi Step Forms, Surveys & quizzes Attack Surface

Entry Points19

Unprotected14

AJAX Handlers 17

authwp_ajax_quillforms_duplicate_formincludes\admin\class-admin.php:68

authwp_ajax_quillforms_install_quillcrmincludes\admin\class-admin.php:69

authwp_ajax_quillforms_activate_quillcrmincludes\admin\class-admin.php:70

authwp_ajax_quillforms_apply_discountincludes\class-discount-coupons.php:86

noprivwp_ajax_quillforms_apply_discountincludes\class-discount-coupons.php:87

authwp_ajax_quillforms_delete_couponincludes\class-discount-coupons.php:89

noprivwp_ajax_quillforms_delete_couponincludes\class-discount-coupons.php:90

authwp_ajax_quillforms_form_submitincludes\class-form-submission.php:110

noprivwp_ajax_quillforms_form_submitincludes\class-form-submission.php:111

authwp_ajax_quillforms_complete_full_discounted_ordersincludes\class-form-submission.php:113

noprivwp_ajax_quillforms_complete_full_discounted_ordersincludes\class-form-submission.php:114

authwp_ajax_quillforms_license_activateincludes\site\class-license.php:63

authwp_ajax_quillforms_license_updateincludes\site\class-license.php:64

authwp_ajax_quillforms_license_deactivateincludes\site\class-license.php:65

authwp_ajax_quillforms_addon_installincludes\site\class-store.php:61

authwp_ajax_quillforms_addon_activateincludes\site\class-store.php:62

authwp_ajax_quillforms_addon_ensure_activationincludes\site\class-store.php:63

Shortcodes 2

[quillforms] includes\class-shortcode.php:58

[quillforms-popup] includes\class-shortcode.php:59

WordPress Hooks 81

actioninitincludes\addon\class-addon.php:181

actionadmin_noticesincludes\addon\class-addon.php:209

actionwp_default_scriptsincludes\addon\class-scripts.php:58

actionwp_default_stylesincludes\addon\class-scripts.php:59

actionadmin_enqueue_scriptsincludes\addon\class-scripts.php:61

actionwp_enqueue_scriptsincludes\addon\class-scripts.php:62

actionadmin_enqueue_scriptsincludes\addon\class-scripts.php:64

actionwp_enqueue_scriptsincludes\addon\class-scripts.php:65

actionquillforms_entry_processedincludes\addon\provider\class-provider.php:89

actionquillforms_entry_processedincludes\addon\provider\class-provider.php:101

actionrest_api_initincludes\addon\provider\rest\class-account-controller.php:42

filterrest_prepare_quill_formsincludes\addon\provider\rest\class-rest.php:50

actionrest_api_initincludes\addon\provider\rest\class-run-connection-controller.php:64

actionrest_api_initincludes\addon\rest\class-form-data-controller.php:55

actionrest_api_initincludes\addon\rest\class-settings-controller.php:62

actionadmin_enqueue_scriptsincludes\admin\class-admin-loader.php:53

actionadmin_enqueue_scriptsincludes\admin\class-admin-loader.php:54

actionadmin_enqueue_scriptsincludes\admin\class-admin-loader.php:55

actionadmin_headincludes\admin\class-admin-loader.php:66

actionadmin_noticesincludes\admin\class-admin-loader.php:67

actionadmin_noticesincludes\admin\class-admin-loader.php:68

filteradmin_body_classincludes\admin\class-admin-loader.php:69

actionadmin_menuincludes\admin\class-admin.php:67

actionpre_get_postsincludes\admin\class-admin.php:71

filterpost_type_linkincludes\admin\class-admin.php:72

filterrewrite_rules_arrayincludes\admin\class-admin.php:73

filterquillforms_renderer_form_objectincludes\blocks\quill-booking\class-quill-booking-block.php:412

actionquillforms_entry_payment_processedincludes\class-discount-coupons.php:93

actioninitincludes\class-install.php:31

filterquillforms_register_log_handlersincludes\class-quillforms.php:168

actioninitincludes\class-quillforms.php:169

actioninitincludes\class-quillforms.php:170

actioninitincludes\class-quillforms.php:171

actioninitincludes\class-quillforms.php:172

actioninitincludes\class-quillforms.php:173

actionelementor/widgets/widgets_registeredincludes\class-quillforms.php:184

actioninitincludes\class-shortcode.php:46

actionaction_scheduler_deleted_actionincludes\class-tasks.php:56

filterautoptimize_filter_js_excludeincludes\compatibility\cache\autoptimize\class-autoptimize-compatibility.php:27

filterautoptimize_filter_js_noptimizeincludes\compatibility\cache\autoptimize\class-autoptimize-compatibility.php:28

filtersgo_javascript_combine_excludeincludes\compatibility\cache\sg-optimize\class-sg-optimize-compatibility.php:26

filtersgo_js_minify_excludeincludes\compatibility\cache\sg-optimize\class-sg-optimize-compatibility.php:27

filtersgo_javascript_combine_excludeincludes\compatibility\cache\sg-optimize\class-sg-optimize-compatibility.php:28

filtersgo_javascript_combine_excluded_inline_contentincludes\compatibility\cache\sg-optimize\class-sg-optimize-compatibility.php:29

filtersgo_js_async_excludeincludes\compatibility\cache\sg-optimize\class-sg-optimize-compatibility.php:38

actioninitincludes\compatibility\cache\sg-optimize\class-sg-optimize-compatibility.php:39

filtersgo_javascript_combine_exclude_all_inlineincludes\compatibility\cache\sg-optimize\class-sg-optimize-compatibility.php:40

filterrocket_cache_reject_uriincludes\compatibility\cache\wp-rocket\class-wp-rocket-compatibility.php:27

filterrocket_exclude_defer_jsincludes\compatibility\cache\wp-rocket\class-wp-rocket-compatibility.php:28

filterrocket_exclude_jsincludes\compatibility\cache\wp-rocket\class-wp-rocket-compatibility.php:29

filterwp-optimize-minify-default-exclusionsincludes\compatibility\cache\wpoptimize\class-wpoptimize-compatibility.php:27

actionquillforms_headincludes\compatibility\translation\weglot\class-weglot-compatability.php:10

actionwp_enqueue_scriptsincludes\compatibility\translation\weglot\class-weglot-compatability.php:11

actionquillforms_email_send_beforeincludes\emails\class-emails.php:140

actionquillforms_email_send_afterincludes\emails\class-emails.php:141

actionwp_mail_failedincludes\emails\class-emails.php:407

filterwp_mail_fromincludes\emails\class-emails.php:435

filterwp_mail_from_nameincludes\emails\class-emails.php:436

filterwp_mail_content_typeincludes\emails\class-emails.php:437

filterquillforms_entry_saveincludes\entries\class-entries.php:50

filterquillforms_entry_retrieveincludes\entries\class-entries.php:51

actiondelete_postincludes\entries\class-entries.php:52

actionquillforms_provider_connection_processedincludes\entries\class-entries.php:53

actionquillforms_cleanup_logsincludes\functions.php:236

actionwpincludes\render\class-form-renderer.php:97

actioninitincludes\render\class-form-renderer.php:100

filtershow_admin_barincludes\render\class-form-renderer.php:102

actionwp_enqueue_scriptsincludes\render\class-form-renderer.php:105

actionwp_enqueue_scriptsincludes\render\class-form-renderer.php:106

filterscript_loader_tagincludes\render\class-form-renderer.php:109

filterscript_loader_tagincludes\render\class-form-renderer.php:112

filterperfmatters_defer_jsincludes\render\class-form-renderer.php:126

filterperfmatters_delay_jsincludes\render\class-form-renderer.php:127

filtertemplate_includeincludes\render\class-form-renderer.php:138

actionrest_api_initincludes\rest-api\class-rest-api.php:63

actionquillforms_loadedincludes\site\class-license.php:60

actioninitincludes\site\class-license.php:253

filterdoing_it_wrong_trigger_errorquillforms.php:56

actionplugins_loadedquillforms.php:62

actionadmin_noticesquillforms.php:80

actionadmin_noticesquillforms.php:86

Scheduled Events 1

quillforms_cleanup_logs

Maintenance & Trust

Quill Forms | Conversational Multi Step Forms, Surveys & quizzes Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 16, 2026

PHP min version7.1

Downloads119K

Community Trust

Rating96/100

Number of ratings44

Active installs3K

Alternatives

Quill Forms | Conversational Multi Step Forms, Surveys & quizzes Alternatives

Helpgent – A better way to connect with your audiences

helpgent

The most user-friendly conversational form plugin. Drag & drop form builder plugin to create multi step forms, contact forms, feedback & custom forms

100 1 unpatched

Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

formidable

The most advanced WordPress forms plugin. Go beyond contact forms with our drag and drop form builder for surveys, quizzes, and more.

300K 23 CVEs

Crowdsignal Forms

crowdsignal-forms

The Crowdsignal Forms plugin allows you to create and manage polls right from within the block editor.

100K 1 unpatched

Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder

everest-forms

The best WordPress form builder. Create contact forms, payment forms, conversational forms, custom forms, surveys, & quizzes using drag and drop.

100K 12 CVEs

NEX-Forms – Ultimate Forms Plugin for WordPress

nex-forms-express-wp-form-builder

Build beautiful responsive forms for WordPress. Contact forms, surveys, quizzes, booking forms, payments, popups & more with NEX-Forms...

7K 30 CVEs

Developer Profile

Quill Forms | Conversational Multi Step Forms, Surveys & quizzes Developer Profile

Mohamed Magdy

2 plugins · 3K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

34 days

View full developer profile

Detection Fingerprints

How We Detect Quill Forms | Conversational Multi Step Forms, Surveys & quizzes

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/quillforms/dist/js/quillforms-backend.js/wp-content/plugins/quillforms/dist/css/quillforms-backend.css/wp-content/plugins/quillforms/dist/js/quillforms-frontend.js/wp-content/plugins/quillforms/dist/css/quillforms-frontend.css/wp-content/plugins/quillforms/dist/js/editor.js/wp-content/plugins/quillforms/dist/css/editor.css/wp-content/plugins/quillforms/assets/js/quillforms.js/wp-content/plugins/quillforms/assets/css/quillforms.css+2 more

Script Paths

/wp-content/plugins/quillforms/dist/js/quillforms-backend.js/wp-content/plugins/quillforms/dist/js/quillforms-frontend.js/wp-content/plugins/quillforms/dist/js/editor.js/wp-content/plugins/quillforms/assets/js/quillforms.js/wp-content/plugins/quillforms/assets/js/vendor/swiper.min.js

Version Parameters

quillforms/dist/css/quillforms-backend.css?ver=quillforms/dist/js/quillforms-backend.js?ver=quillforms/dist/css/quillforms-frontend.css?ver=quillforms/dist/js/quillforms-frontend.js?ver=quillforms/dist/css/editor.css?ver=quillforms/dist/js/editor.js?ver=quillforms/assets/css/quillforms.css?ver=quillforms/assets/js/quillforms.js?ver=quillforms/assets/css/vendor/swiper.min.css?ver=quillforms/assets/js/vendor/swiper.min.js?ver=

HTML / DOM Fingerprints

CSS Classes

quillforms-containerquillforms-formquillforms-fieldquillforms-button

Data Attributes

data-quillforms-form-iddata-quillforms-field-id

JS Globals

QuillFormsFrontendQuillFormsEditorConfig

REST Endpoints

/wp-json/quillforms/v1/forms/wp-json/quillforms/v1/submissions

Shortcode Output

[quillforms id="[quillforms slug="

FAQ