WP-Safety

Real Time Validation for Gravity Forms Security & Risk Analysis

wordpress.org/plugins/real-time-validation-for-gravity-forms

Real Time Validation for Gravity Forms increases conversion rates of your Gravity Form using inline validation messages as user types in field.

2K active installs v1.7.0 PHP + WP 4.2.1+ Updated Oct 2, 2018
gravity-formsgravity-forms-addongravity-forms-fields-validationjquery-validationlive-validation
24
F · Critical Risk
CVEs total3
Unpatched3
Last CVEMay 30, 2025
Plugin page Download
Safety Verdict

Is Real Time Validation for Gravity Forms Safe to Use in 2026?

Critical Risk — Avoid

Score 24/100

Real Time Validation for Gravity Forms is critically unsafe with 3 known CVEs, 3 still unpatched. Avoid in production.

3 known CVEs 3 unpatched Last CVE: May 30, 2025Updated 7yr ago
Risk Assessment

The "real-time-validation-for-gravity-forms" plugin v1.7.0 exhibits significant security concerns, primarily stemming from its unprotected AJAX endpoint and a history of severe vulnerabilities. The static analysis reveals a small attack surface with only one entry point, an AJAX handler, which critically lacks authentication checks. This opens the door for unauthenticated users to potentially trigger actions within the plugin, a major risk. Furthermore, the plugin shows poor output escaping practices, with only 5% of outputs being properly sanitized, indicating a high likelihood of Cross-Site Scripting (XSS) vulnerabilities being present in the code itself. The taint analysis also flags two flows with unsanitized paths, suggesting potential for sensitive data manipulation or unauthorized actions if these paths are reachable.

The plugin's vulnerability history is a major red flag. With three known CVEs, all of which are currently unpatched, and one classified as critical, the plugin has a pattern of introducing serious security flaws. The types of historical vulnerabilities, including XSS, CSRF, and PHP Remote File Inclusion, are particularly concerning as they can lead to complete site compromise. The most recent vulnerability being from May 2025, suggests a persistent issue with secure coding practices. While the plugin has no reported dangerous functions or external HTTP requests, and it does have one nonce check, these are overshadowed by the critical lack of authentication on its sole AJAX endpoint and the concerning historical vulnerability record. This plugin should be considered high risk and strongly advised against use until these critical issues are addressed.

Key Concerns

  • Unprotected AJAX endpoint
  • Poor output escaping (5% proper)
  • Unpatched Critical CVE
  • Unpatched Medium CVE
  • Unpatched Medium CVE
  • SQL queries without prepared statements
  • Taint flow with unsanitized path
  • Taint flow with unsanitized path
Vulnerabilities
3

Real Time Validation for Gravity Forms Security Vulnerabilities

CVEs by Year

3 CVEs in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
2

3 total CVEs

CVE-2025-48329medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Real Time Validation for Gravity Forms <= 1.7.0 - Reflected Cross-Site Scripting

May 30, 2025Unpatched
CVE-2025-48328medium · 4.3Cross-Site Request Forgery (CSRF)

Real Time Validation for Gravity Forms <= 1.7.0 - Cross-Site Request Forgery

May 30, 2025Unpatched
CVE-2025-48330critical · 9.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Real Time Validation for Gravity Forms <= 1.7.0 - Unauthenticated Local File Inclusion

May 30, 2025Unpatched
Code Analysis
Analyzed Mar 16, 2026

Real Time Validation for Gravity Forms Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
0 prepared
Unescaped Output
54
3 escaped
Nonce Checks
1
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

0% prepared1 total queries

Output Escaping

5% escaped57 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
lv_validation_dashboard (admin\includes\class-lv-dashboard.php:48)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Real Time Validation for Gravity Forms Attack Surface

Entry Points1
Unprotected1

AJAX Handlers 1

authwp_ajax_lv_dismiss_errorpublic\includes\lv-all-ajax.php:13
WordPress Hooks 35
actionadmin_enqueue_scriptsadmin\class-gravity-forms-live-validation-admin.php:48
actionadmin_headadmin\class-gravity-forms-live-validation-admin.php:49
actionadmin_initadmin\class-gravity-forms-live-validation-admin.php:50
actionadmin_footeradmin\class-gravity-forms-live-validation-admin.php:51
actioninitadmin\class-gravity-forms-live-validation-admin.php:52
actiongform_field_advanced_settingsadmin\class-gravity-forms-live-validation-admin.php:59
actiongform_editor_jsadmin\class-gravity-forms-live-validation-admin.php:60
filtergform_form_settings_menuadmin\class-gravity-forms-live-validation-admin.php:62
actiongform_form_settings_page_lv_form_settingadmin\class-gravity-forms-live-validation-admin.php:63
filtergform_form_actionsadmin\class-gravity-forms-live-validation-admin.php:64
filtergform_tooltipsadmin\class-gravity-forms-live-validation-admin.php:65
filtergform_admin_pre_renderadmin\class-gravity-forms-live-validation-admin.php:66
filterlv_auto_populate_validation_dateadmin\class-gravity-forms-live-validation-admin.php:76
filterlv_auto_populate_validation_emailadmin\class-gravity-forms-live-validation-admin.php:77
filterlv_auto_populate_validation_addressadmin\class-gravity-forms-live-validation-admin.php:79
filterlv_auto_populate_validation_timeadmin\class-gravity-forms-live-validation-admin.php:81
actionadmin_print_footer_scriptsadmin\class-gravity-forms-live-validation-admin.php:778
actionadmin_initadmin\includes\class-lv-dashboard.php:28
actionadmin_enqueue_scriptsadmin\includes\class-lv-pointers.php:20
actionadmin_print_footer_scriptsadmin\includes\class-lv-pointers.php:25
actionadmin_initadmin\includes\show-lv-on-form-list.php:10
actionwp_enqueue_scriptspublic\class-gravity-forms-live-validation.php:58
actionwp_enqueue_scriptspublic\class-gravity-forms-live-validation.php:59
filtergform_pre_renderpublic\class-gravity-forms-live-validation.php:62
filtergform_form_argspublic\class-gravity-forms-live-validation.php:65
actiongform_post_submissionpublic\class-gravity-forms-live-validation.php:66
actiongform_post_pagingpublic\class-gravity-forms-live-validation.php:67
actionlv_pre_apply_validationpublic\class-gravity-forms-live-validation.php:69
actioninitpublic\class-gravity-forms-live-validation.php:71
filtergform_logging_supportedpublic\class-gravity-forms-live-validation.php:72
actionwp_footerpublic\class-gravity-forms-live-validation.php:74
actioninitreal-time-validation-for-gravity-form.php:32
actionplugins_loadedreal-time-validation-for-gravity-form.php:34
actionactivated_pluginreal-time-validation-for-gravity-form.php:37
actionplugins_loadedreal-time-validation-for-gravity-form.php:48
Maintenance & Trust

Real Time Validation for Gravity Forms Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29
Last updatedOct 2, 2018
PHP min version
Downloads62K

Community Trust

Rating90/100
Number of ratings12
Active installs2K
Alternatives

Real Time Validation for Gravity Forms Alternatives

Retrigger Notifications Gravity Forms

Retrigger Notifications Gravity Forms

retrigger-notifications-gravity-forms

A
100

Resend Gravity Forms entry data to Zapier and Webhook feeds with one click -- no need to resubmit the form.

1K No CVEs
WP-Stateless – Gravity Forms Addon

WP-Stateless – Gravity Forms Addon

wp-stateless-gravity-forms-addon

A
100

Provides compatibility between the Gravity Forms and the WP-Stateless plugins.

300 No CVEs
Ambition Cloud Extension

Ambition Cloud Extension

ambition-cloud-gf-add-on

A
92

Integrates Gravity Forms with Ambition Cloud, allowing form submissions to be automatically sent to your Ambition Cloud account.

70 No CVEs
Gravity Forms Zero Spam

Gravity Forms Zero Spam

gravity-forms-zero-spam

A
100

Enhance your Gravity Forms to include anti-spam measures originally based on the work of David Walsh's "Zero Spam" technique.

100K No CVEs
Gravity Booster – Styles & Layouts for Gravity Forms

Gravity Booster – Styles & Layouts for Gravity Forms

styles-and-layouts-for-gravity-forms

A
100

Gravity Booster - Styles and Layouts for Gravity Forms plugin lets you design and style Gravity Forms without CSS coding. You can also use it for addi &hellip;

40K No CVEs
Developer Profile

Real Time Validation for Gravity Forms Developer Profile

Daman Jeet

2 plugins · 6K total installs

38
trust score
Avg Security Score
41/100
Avg Patch Time
300 days
View full developer profile
Detection Fingerprints

How We Detect Real Time Validation for Gravity Forms

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/real-time-validation-for-gravity-forms/admin/assets/css/gravity-forms-live-validation.css/wp-content/plugins/real-time-validation-for-gravity-forms/admin/assets/js/gravity-forms-live-validation.js
Script Paths
/wp-content/plugins/real-time-validation-for-gravity-forms/admin/assets/js/gravity-forms-live-validation.js
Version Parameters
real-time-validation-for-gravity-forms/admin/assets/css/gravity-forms-live-validation.css?ver=real-time-validation-for-gravity-forms/admin/assets/js/gravity-forms-live-validation.js?ver=

HTML / DOM Fingerprints

CSS Classes
lv-form-settingslv-toggle-switch
HTML Comments
<!-- THIS IS A HELP MESSAGE THAT SHOWS UP WHEN THE PLUGIN HAS BEEN ACTIVATED THE FIRST TIME --><!-- LV Settings Page -->
Data Attributes
data-field-type
JS Globals
window.gf_global.gf_field_type.push('name');window.gf_global.gf_field_type.push('date');window.gf_global.gf_field_type.push('time');window.gf_global.gf_field_type.push('address');window.gf_global.gf_field_type.push('phone');window.gf_global.gf_field_type.push('email');+3 more
FAQ

Frequently Asked Questions about Real Time Validation for Gravity Forms