Does Secure Forms have any unpatched vulnerabilities?

No. All known vulnerabilities in Secure Forms have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Secure Forms compatible with WordPress 6.8.5?

According to WordPress.org data, Secure Forms 1.0.6 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Secure Forms compatible with PHP 7.4+?

Secure Forms requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Secure Forms updated?

Secure Forms was last updated on Aug 4, 2025. Frequent updates are generally a positive security signal.

What is Secure Forms's security score?

Secure Forms has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Secure Forms Security & Risk Analysis

wordpress.org/plugins/secure-forms

Secure Forms creates encrypted & HIPAA Compliant forms for Forminator. It allows you to easily accept secure & protected information with ease …

10 active installs v1.0.6 PHP 7.4+ WP 4.0+ Updated Aug 4, 2025

encrypted-formsforminatorformshipaa-compliant

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Secure Forms Safe to Use in 2026?

Generally Safe

Score 100/100

Secure Forms has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 8mo ago

Risk Assessment

The "secure-forms" plugin v1.0.6 demonstrates a generally strong security posture, with a commendable 100% of SQL queries utilizing prepared statements and a very high percentage (99%) of outputs being properly escaped. The absence of known CVEs and recorded historical vulnerabilities is also a positive indicator of diligent security practices by the developers. However, the plugin's attack surface presents significant concerns. Specifically, three out of six identified entry points, including two AJAX handlers and one REST API route, lack proper authentication or permission checks. This oversight creates direct opportunities for unauthenticated or unauthorized users to interact with sensitive functionalities, potentially leading to exploitation.

The lack of capability checks and the presence of unprotected AJAX handlers and REST API routes are the primary risk drivers. While taint analysis shows no critical or high-severity issues, meaning data flowing through the analyzed paths is sanitized, the unprotected entry points could still expose sensitive actions to attackers. The plugin relies heavily on external HTTP requests (21 total), which, while not inherently a vulnerability, could be a vector if any of these external services are compromised or have vulnerabilities. The bundling of Select2 and Freemius v1.0 also warrants attention, as outdated versions of bundled libraries can introduce known vulnerabilities.

Key Concerns

Unprotected AJAX handlers (2)
Unprotected REST API route (1)
No capability checks
Bundled library (Freemius v1.0) may be outdated

Vulnerabilities

None known

Secure Forms Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Secure Forms Code Analysis

Dangerous Functions

Raw SQL Queries

4 prepared

Unescaped Output

200 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select2Freemius1.0

SQL Query Safety

100% prepared4 total queries

Output Escaping

99% escaped202 total outputs

Data Flows

All sanitized

Data Flow Analysis

3 flows

wpsf_forms_content_callback (includes\wpsf-functions.php:431)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

Secure Forms Attack Surface

Entry Points6

Unprotected3

AJAX Handlers 5

authwp_ajax_wpsf_update_baa_statusincludes\wpsf-functions.php:825

authwp_ajax_wpsf_validate_api_keyincludes\wpsf-functions.php:854

authwp_ajax_wpsf_request_api_keyincludes\wpsf-functions.php:907

authwp_ajax_wpsf_finish_step1includes\wpsf-functions.php:950

authwp_ajax_wpsf_finish_wizardincludes\wpsf-functions.php:961

REST API Routes 1

POST/wp-json/wpsf/v1/handle_jotformincludes\wpsf-functions.php:1009

WordPress Hooks 9

actioninitincludes\wpsf-functions.php:58

actionadmin_initincludes\wpsf-functions.php:111

actionadmin_enqueue_scriptsincludes\wpsf-functions.php:223

actionforminator_custom_form_mail_before_send_mailincludes\wpsf-functions.php:272

filterforminator_custom_form_mail_admin_messageincludes\wpsf-functions.php:299

actionset_logged_in_cookieincludes\wpsf-functions.php:670

actionwp_logoutincludes\wpsf-functions.php:696

actionrest_api_initincludes\wpsf-functions.php:1018

actionadmin_menuincludes\wpsf-functions.php:1074

Maintenance & Trust

Secure Forms Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedAug 4, 2025

PHP min version7.4

Downloads1K

Community Trust

Rating0/100

Number of ratings0

Active installs10

Alternatives

Secure Forms Alternatives

GSheetConnector for Forminator Forms

gsheetconnector-forminator

Send your Forminator Forms data directly to your Google Sheet in a real-time.

1K 1 CVE

Electronic Signature Add-on for Forminator

forms-digital-signature-forminator-add-on

100

Instantly produce a legally binding PDF WordPress contract from a Forminator Forms contact form submission. Digital Signature Pad. Proposal.

100 No CVEs

FortressDB

fortressdb

High-speed, secure database plugin for WordPress form data

40 No CVEs

Inbound Organizer

inbound-organizer

100

Organize form submissions on a Kanban style board with 2 to 5 columns.

0 No CVEs

Leaf CRM

leaf-crm

100

Capture leads from WordPress forms into Leaf CRM. Supports integration with Contact Form 7, Ninja Forms, WPForms, Forminator, and Elementor Form.

0 No CVEs

Developer Profile

Secure Forms Developer Profile

Infinite Uploads

6 plugins · 101K total installs

trust score

Avg Security Score

98/100

Avg Patch Time

18 days

View full developer profile

Detection Fingerprints

How We Detect Secure Forms

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/secure-forms/assets/admin/css/wpsf-admin-css.css/wp-content/plugins/secure-forms/assets/admin/js/wpsf_admin_script.js/wp-content/plugins/secure-forms/assets/admin/js/select2.min.js/wp-content/plugins/secure-forms/assets/admin/css/select2.min.css/wp-content/plugins/secure-forms/assets/admin/css/smart_wizard_all.min.css/wp-content/plugins/secure-forms/assets/admin/js/jquery.smartWizard.min.js

Script Paths

assets/admin/css/wpsf-admin-css.cssassets/admin/js/wpsf_admin_script.jsassets/admin/js/select2.min.jsassets/admin/css/select2.min.cssassets/admin/css/smart_wizard_all.min.cssassets/admin/js/jquery.smartWizard.min.js

HTML / DOM Fingerprints

JS Globals

ajaxwpsf_fs_data

REST Endpoints

/wp-json/wpsf/v1/synch_site/wp-json/wpsf/v1/wpsf_check_pro/wp-json/wpsf/v1/baa_status

FAQ