Does RTMForm Builder have any unpatched vulnerabilities?

No. All known vulnerabilities in RTMForm Builder have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is RTMForm Builder compatible with WordPress 6.9.4?

According to WordPress.org data, RTMForm Builder 1.2.5 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is RTMForm Builder compatible with PHP 8.2+?

RTMForm Builder requires PHP 8.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is RTMForm Builder updated?

RTMForm Builder was last updated on Feb 10, 2026. Frequent updates are generally a positive security signal.

What is RTMForm Builder's security score?

RTMForm Builder has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

RTMForm Builder Security & Risk Analysis

wordpress.org/plugins/romethemeform

RTMForm For Elementor Plugin is an Form Builder for Elementor, and Widget Ready to use.

30K active installs v1.2.5 PHP 8.2+ WP 6.8+ Updated Feb 10, 2026

contact-form-buildercustom-formelementor-formform

A · Safe

CVEs total2

Unpatched0

Last CVEMay 22, 2024

Download

Safety Verdict

Is RTMForm Builder Safe to Use in 2026?

Generally Safe

Score 99/100

RTMForm Builder has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: May 22, 2024Updated 1mo ago

Risk Assessment

The "romethemeform" v1.2.5 plugin exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices in database interaction, with all SQL queries utilizing prepared statements, and a high percentage (87%) of output being properly escaped, significantly reducing the risk of cross-site scripting (XSS) vulnerabilities. Furthermore, the absence of critical or high-severity taint flows and no currently unpatched CVEs are encouraging signs.

However, several concerns warrant attention. The plugin has a notable attack surface of 8 entry points, with one AJAX handler lacking authentication checks. This unprotected entry point presents a significant risk, as an unauthenticated attacker could potentially exploit it. While the static analysis did not reveal dangerous functions or unsanitized paths, the presence of a single unprotected AJAX handler is a critical oversight. The vulnerability history indicates a pattern of medium-severity vulnerabilities, with two known CVEs in the past, suggesting a recurring need for thorough security audits and patching.

In conclusion, while the plugin has strengths in secure coding practices like prepared statements and output escaping, the unprotected AJAX handler and past vulnerability history indicate areas that require immediate attention. Addressing the unprotected entry point is paramount to improving its overall security. The history of medium vulnerabilities suggests a need for more robust and comprehensive security testing throughout the development lifecycle.

Key Concerns

Unprotected AJAX handler
Previous medium severity CVEs (2 total)

Vulnerabilities

RTMForm Builder Security Vulnerabilities

CVEs by Year

2 CVEs in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2023-6325medium · 5.3Missing Authorization

RomethemeForm For Elementor <= 1.1.5 - Missing Authorization via export_entries, rtformnewform, and rtformupdate

May 22, 2024 Patched in 1.1.6 (69d)

CVE-2024-32727medium · 5.3Missing Authorization

RomethemeForm For Elementor <= 1.1.2 - Missing Authorization

Apr 22, 2024 Patched in 1.1.3 (8d)

Code Analysis

Analyzed Mar 16, 2026

RTMForm Builder Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

441 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared2 total queries

Output Escaping

87% escaped509 total outputs

Data Flows

All sanitized

Data Flow Analysis

3 flows

export_entries (modules\form\form.php:490)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

RTMForm Builder Attack Surface

Entry Points8

Unprotected1

AJAX Handlers 7

authwp_ajax_rtformnewformmodules\form\form.php:22

authwp_ajax_rtformupdatemodules\form\form.php:23

authwp_ajax_rformsendformmodules\form\form.php:24

noprivwp_ajax_rformsendformmodules\form\form.php:25

authwp_ajax_export_entriesmodules\form\form.php:26

authwp_ajax_get_form_datamodules\form\form.php:27

authwp_ajax_remove_noticerometheme-form.php:60

Shortcodes 1

[rform] modules\form\form.php:30

WordPress Hooks 21

actioninitmodules\form\form.php:17

actioninitmodules\form\form.php:18

actionadmin_menumodules\form\form.php:19

actionadmin_enqueue_scriptsmodules\form\form.php:20

filtersingle_templatemodules\form\form.php:29

actioninitrometheme-form.php:25

actionadmin_headrometheme-form.php:30

actionadmin_headrometheme-form.php:33

actionadmin_headrometheme-form.php:39

actionadmin_enqueue_scriptsrometheme-form.php:51

actionelementor/widgets/registerrometheme-form.php:52

actionelementor/elements/categories_registeredrometheme-form.php:53

actionwp_enqueue_scriptsrometheme-form.php:54

actionelementor/frontend/after_register_scriptsrometheme-form.php:55

actionelementor/editor/before_enqueue_stylesrometheme-form.php:56

actionelementor/editor/before_register_scriptsrometheme-form.php:57

actionelementor/editor/before_enqueue_scriptsrometheme-form.php:58

actionelementor/controls/registerrometheme-form.php:59

actionrform_noticesrometheme-form.php:61

actionelementor/editor/before_enqueue_stylesrometheme-form.php:63

actionadmin_noticesrometheme-form.php:314

Maintenance & Trust

RTMForm Builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 10, 2026

PHP min version8.2

Downloads181K

Community Trust

Rating86/100

Number of ratings14

Active installs30K

Alternatives

RTMForm Builder Alternatives

MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

metform

The most popular Elementor forms builder to create WordPress forms like contact forms, booking forms, feedback form, survey forms, application forms a …

600K 26 CVEs

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

The best WordPress contact form plugin. Drag & Drop form builder to create beautiful contact forms, payment forms, & other custom forms.

6.0M 13 CVEs

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

fluentform

Get a fast contact form plugin. Create advanced forms using drag and drop form builder with all smart features.

600K 27 CVEs

Forminator Forms – Contact Form, Payment Form & Custom Form Builder

forminator

Best WordPress form builder plugin. Create contact forms, payment forms & order forms with 1000+ integrations.

600K 36 CVEs

SureForms – Contact Form, Payment Form & Other Custom Form Builder

sureforms

The most beginner-friendly, AI Form Builder for WordPress to create contact forms, payment forms & other custom forms with advanced features, with …

400K 15 CVEs

Developer Profile

RTMForm Builder Developer Profile

Rometheme

2 plugins · 80K total installs

trust score

Avg Security Score

94/100

Avg Patch Time

34 days

View full developer profile

Detection Fingerprints

How We Detect RTMForm Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/romethemeform/assets/css/frontend.css/wp-content/plugins/romethemeform/assets/js/frontend.js/wp-content/plugins/romethemeform/widgets/rometheme-form/assets/css/editor-styles.css/wp-content/plugins/romethemeform/widgets/rometheme-form/assets/js/editor-script.js/wp-content/plugins/romethemeform/libs/notice/notice.css

Script Paths

/wp-content/plugins/romethemeform/assets/js/frontend.js/wp-content/plugins/romethemeform/widgets/rometheme-form/assets/js/editor-script.js

Version Parameters

romethemeform/assets/css/frontend.css?ver=romethemeform/assets/js/frontend.js?ver=romethemeform/widgets/rometheme-form/assets/css/editor-styles.css?ver=romethemeform/widgets/rometheme-form/assets/js/editor-script.js?ver=romethemeform/libs/notice/notice.css?ver=

HTML / DOM Fingerprints

CSS Classes

rtm-form-builder-widgetrtm-form-containerrtm-form-field

HTML Comments

RTMForm Builder Widget WrapperRTMForm Builder Form WrapperRTMForm Builder Field Wrapper

Data Attributes

data-rtm-form-iddata-rtm-field-id

JS Globals

RomethemeFormFrontendRTMFormConfig

REST Endpoints

/wp-json/romethemeform/v1/submit/wp-json/romethemeform/v1/upload

Shortcode Output

[rtm_form

FAQ