WP-Safety

Creative Contact Form Security & Risk Analysis

wordpress.org/plugins/sexy-contact-form

Creative Contact Form is a responsive contact form builder with amazing visual effects. Over 46,000+ sites are already using Creative Contact Form.

100 active installs v1.0.0 PHP + WP 3.6+ Updated Mar 13, 2015
adminadvanced-formajaxattachmentbest-contact-form-plugin
55
C · Use Caution
CVEs total2
Unpatched1
Last CVEJun 19, 2025
Plugin page Download
Safety Verdict

Is Creative Contact Form Safe to Use in 2026?

Use With Caution

Score 55/100

Creative Contact Form has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

2 known CVEs 1 unpatched Last CVE: Jun 19, 2025Updated 11yr ago
Risk Assessment

The "sexy-contact-form" plugin v1.0.0 exhibits a concerning security posture, with significant risks stemming from both static analysis and its historical vulnerability record. While the plugin demonstrates a strong adherence to using prepared statements for SQL queries, this is overshadowed by several critical security flaws. The analysis reveals a substantial attack surface with two AJAX handlers lacking authentication checks, and a complete absence of nonce checks. Furthermore, a concerning 100% of output is not properly escaped, presenting a high risk of Cross-Site Scripting (XSS) vulnerabilities.

The taint analysis highlights 9 high-severity flows, indicating potential for serious data manipulation or compromise. The use of `create_function`, a deprecated and insecure PHP function, is another red flag. The vulnerability history, including a critical unpatched CVE and past occurrences of CSRF and unrestricted file uploads, strongly suggests a pattern of recurring and severe security weaknesses within this plugin.

In conclusion, despite the diligent use of prepared statements, the "sexy-contact-form" plugin's lack of authentication on entry points, unescaped output, insecure coding practices, and a history of critical vulnerabilities make it a high-risk component. The unpatched critical vulnerability and the prevalence of high-severity taint flows are particularly alarming and require immediate attention. Users should consider disabling or replacing this plugin until these issues are addressed.

Key Concerns

  • Unpatched Critical CVE
  • High severity taint flows (9)
  • Unprotected AJAX handlers (2)
  • 0% output escaping
  • No nonce checks
  • Use of create_function
  • Vulnerability history (CSRF, Unrestricted Upload)
Vulnerabilities
2

Creative Contact Form Security Vulnerabilities

CVEs by Year

1 CVE in 2014
2014
1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
1

2 total CVEs

CVE-2025-52794medium · 4.3Cross-Site Request Forgery (CSRF)

Creative Contact Form <= 1.0.0 - Cross-Site Request Forgery

Jun 19, 2025Unpatched
CVE-2014-8739critical · 9.8Unrestricted Upload of File with Dangerous Type

Creative Contact Form < 1.0.0 - Arbitrary File Upload

Oct 23, 2014 Patched in 1.0.0 (3379d)
Code Analysis
Analyzed Mar 16, 2026

Creative Contact Form Code Analysis

Dangerous Functions
1
Raw SQL Queries
1
77 prepared
Unescaped Output
1013
4 escaped
Nonce Checks
0
Capability Checks
0
File Operations
8
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

create_functionadd_action('widgets_init', create_function('', 'return register_widget("sexycontactform_widget");'))includes\sexycontactform_widget.php:76

Bundled Libraries

Select2

SQL Query Safety

99% prepared78 total queries

Output Escaping

0% escaped1017 total outputs
Data Flows
11 unsanitized

Data Flow Analysis

11 flows11 with unsanitized paths
wpscf_render_form (includes\display-functions.php:93)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Creative Contact Form Attack Surface

Entry Points3
Unprotected2

AJAX Handlers 2

authwp_ajax_wpscf_send_emailsexycontactform.php:61
noprivwp_ajax_wpscf_send_emailsexycontactform.php:62

Shortcodes 1

[creativeform] includes\display-functions.php:25
WordPress Hooks 3
actionadmin_menuincludes\admin-page.php:71
actionadmin_initincludes\admin-page.php:72
actionwidgets_initincludes\sexycontactform_widget.php:76
Maintenance & Trust

Creative Contact Form Maintenance & Trust

Maintenance Signals

WordPress version tested4.1.42
Last updatedMar 13, 2015
PHP min version
Downloads61K

Community Trust

Rating82/100
Number of ratings24
Active installs100
Alternatives

Creative Contact Form Alternatives

Heartbeat Control

Heartbeat Control

heartbeat-control

A
85

Allows you to easily manage the frequency of the WordPress heartbeat API.

80K No CVEs
AJAX Thumbnail Rebuild

AJAX Thumbnail Rebuild

ajax-thumbnail-rebuild

A
85

AJAX Thumbnail Rebuild allows you to rebuild all thumbnails at once without script timeouts on your server.

30K 1 CVE
Media Deduper

Media Deduper

media-deduper

A
100

Save disk space and bring some order to the chaos of your media library by removing and preventing duplicate files.

9K No CVEs
Advanced All in One Admin Search by WP Spotlight

Advanced All in One Admin Search by WP Spotlight

wp-spotlight-search

A
99

Advanced All in One Admin Search by WP Spotlight Global Search is a powerful quick navigation plugin for WordPress Dashboard - it is an advancement of &hellip;

1K 1 CVE
Dynamic Front-End Heartbeat Control

Dynamic Front-End Heartbeat Control

dynamic-front-end-heartbeat-control

A
100

An enhanced solution to optimize the performance of your WordPress website and automatically achieve the best Heartbeat API values.

900 No CVEs
Developer Profile

Creative Contact Form Developer Profile

Creative-Solutions

4 plugins · 4K total installs

69
trust score
Avg Security Score
86/100
Avg Patch Time
1211 days
View full developer profile
Detection Fingerprints

How We Detect Creative Contact Form

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/sexy-contact-form/css/admin.css/wp-content/plugins/sexy-contact-form/css/ui-lightness/jquery-ui-1.10.1.custom.css/wp-content/plugins/sexy-contact-form/css/options_styles.css/wp-content/plugins/sexy-contact-form/css/colorpicker.css/wp-content/plugins/sexy-contact-form/css/layout.css/wp-content/plugins/sexy-contact-form/css/ui.slider.extras.css/wp-content/plugins/sexy-contact-form/css/main.css/wp-content/plugins/sexy-contact-form/js/admin.js+5 more
Script Paths
/wp-content/plugins/sexy-contact-form/js/admin.js/wp-content/plugins/sexy-contact-form/js/options_functions.js/wp-content/plugins/sexy-contact-form/js/sexycontactform.js
Version Parameters
sexy-contact-form/css/admin.css?ver=sexy-contact-form/css/ui-lightness/jquery-ui-1.10.1.custom.css?ver=sexy-contact-form/css/options_styles.css?ver=sexy-contact-form/css/colorpicker.css?ver=sexy-contact-form/css/layout.css?ver=sexy-contact-form/css/ui.slider.extras.css?ver=sexy-contact-form/css/main.css?ver=sexy-contact-form/js/admin.js?ver=sexy-contact-form/js/options_functions.js?ver=sexy-contact-form/js/colorpicker.js?ver=sexy-contact-form/js/eye.js?ver=sexy-contact-form/js/utils.js?ver=sexy-contact-form/js/sexycontactform.js?ver=

HTML / DOM Fingerprints

CSS Classes
wrapsexycontactform_page_sexycontactformsexycontactform_page_sexyformssexycontactform_page_sexyfieldssexycontactform_page_sexytemplates
HTML Comments
strat sessioncheckincludesdisplay content functions+4 more
JS Globals
wpscf_optionswpscf_token
Shortcode Output
[creativeform
FAQ

Frequently Asked Questions about Creative Contact Form