Does Smaily for Contact Form 7 have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Smaily for Contact Form 7 compatible with WordPress 6.7.5?

According to WordPress.org data, Smaily for Contact Form 7 1.0.11 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

Is Smaily for Contact Form 7 compatible with PHP 5.6+?

Smaily for Contact Form 7 requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Smaily for Contact Form 7 updated?

Smaily for Contact Form 7 was last updated on Aug 8, 2025. Frequent updates are generally a positive security signal.

What is Smaily for Contact Form 7's security score?

Smaily for Contact Form 7 has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Smaily for Contact Form 7 Security & Risk Analysis

wordpress.org/plugins/smaily-for-contact-form-7

Flexible and straightforward Smaily newsletter integration for Contact Form 7.

100 active installs v1.0.11 PHP 5.6+ WP 4.6+ Updated Aug 8, 2025

contact-form-7emailnewslettersmaily

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Smaily for Contact Form 7 Safe to Use in 2026?

Generally Safe

Score 100/100

Smaily for Contact Form 7 has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 9mo ago

Risk Assessment

The "smaily-for-contact-form-7" plugin v1.0.11 presents a mixed security posture. While it demonstrates good practices by avoiding dangerous functions, solely using prepared statements for SQL queries, and having no recorded vulnerability history, significant concerns arise from its attack surface. A substantial five AJAX handlers are exposed without any authentication checks, creating a direct pathway for unauthenticated users to interact with plugin functionality. Although taint analysis did not reveal any unsanitized paths, the lack of authorization on these AJAX endpoints is a critical weakness that could be exploited if malicious input can trigger unintended actions.

The plugin also exhibits a moderate concern regarding output escaping, with only 57% of observed outputs being properly escaped. This could potentially lead to cross-site scripting (XSS) vulnerabilities if user-supplied data is not handled carefully before being rendered in the browser. The presence of two external HTTP requests, while not inherently bad, warrants careful review in conjunction with the other findings to ensure they do not introduce additional risks. Overall, the absence of known CVEs and a clean vulnerability history are positive indicators, but the unprotected AJAX endpoints and partial output escaping are significant weaknesses that require immediate attention to improve the plugin's security.

Key Concerns

Unprotected AJAX handlers
Insufficient output escaping

Vulnerabilities

None known

Smaily for Contact Form 7 Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

Smaily for Contact Form 7 Release Timeline

v1.0.11Current

v1.0.10

v1.0.9

v1.0.8

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3

v1.0.2

v1.0.1

v1.0.0

Code Analysis

Analyzed Mar 16, 2026

Smaily for Contact Form 7 Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

17 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

57% escaped30 total outputs

Data Flows · Security

All sanitized

Data Flow Analysis

2 flows

verify_credentials_callback (admin\class-smaily-for-cf7-admin.php:368)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

5 unprotected

Smaily for Contact Form 7 Attack Surface

Entry Points5

Unprotected5

AJAX Handlers 5

authwp_ajax_verify_credentials_callbackincludes\class-smaily-for-cf7.php:133

noprivwp_ajax_verify_credentials_callbackincludes\class-smaily-for-cf7.php:134

authwp_ajax_remove_credentials_callbackincludes\class-smaily-for-cf7.php:136

noprivwp_ajax_remove_credentials_callbackincludes\class-smaily-for-cf7.php:137

authwp_ajax_smaily_for_cf7_dismiss_deprecation_noticeincludes\class-smaily-for-cf7.php:139

WordPress Hooks 9

actionadmin_enqueue_scriptsincludes\class-smaily-for-cf7.php:125

actionadmin_noticesincludes\class-smaily-for-cf7.php:127

filterplugin_row_metaincludes\class-smaily-for-cf7.php:128

actionwpcf7_after_saveincludes\class-smaily-for-cf7.php:130

actionwpcf7_editor_panelsincludes\class-smaily-for-cf7.php:131

actionwpcf7_submitincludes\class-smaily-for-cf7.php:152

filterwpcf7_feedback_responsepublic\class-smaily-for-cf7-public.php:222

filterwpcf7_ajax_json_echopublic\class-smaily-for-cf7-public.php:232

actionplugins_loadedsmaily-for-contact-form-7.php:76

Maintenance & Trust

Smaily for Contact Form 7 Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedAug 8, 2025

PHP min version5.6

Downloads6K

Community Trust

Rating0/100

Number of ratings0

Active installs100

Alternatives

Smaily for Contact Form 7 Alternatives

Smaily Connect

smaily-connect

100

The Smaily Connect plugin integrates Contact Form 7 and WooCommerce, offering a complete email marketing and automation solution.

1K No CVEs

Connect Contact Form 7 and AWeber

integrate-contact-form-7-and-aweber

Integrate AWeber mailing lists with Contact Form 7. Automatically add form subscribers to your AWeber lists.

300 2 CVEs

Smaily for WooCommerce

smaily-for-woocommerce

100

Simple and flexible Smaily newsletter and RSS-feed integration for WooCommerce.

200 No CVEs

Contact Form 7 – Campaign Monitor Addon

contact-form-7-campaignmonitor-addon

Add the capability to create newsletter opt-in forms with Contact Form 7. Automatically submit subscribers to predetermined lists in Campaign Monitor.

90 No CVEs

Bilbok Bulk Mailer for Flamingo

bilbok-bulk-mailer-for-flamingo

100

Send bulk email campaigns to your Flamingo contacts (Contact Form 7) with a safe queue, Gmail‑friendly rate limiting, and campaign management.

0 No CVEs

Developer Profile

Smaily for Contact Form 7 Developer Profile

Smaily

4 plugins · 2K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

115 days

View full developer profile

Detection Fingerprints

How We Detect Smaily for Contact Form 7

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/smaily-for-contact-form-7/admin/css/smaily-for-contact-form-7-admin.css/wp-content/plugins/smaily-for-contact-form-7/admin/js/smaily-for-contact-form-7-admin.js/wp-content/plugins/smaily-for-contact-form-7/includes/js/smaily-for-contact-form-7.js

Script Paths

/wp-content/plugins/smaily-for-contact-form-7/admin/js/smaily-for-contact-form-7-admin.js/wp-content/plugins/smaily-for-contact-form-7/includes/js/smaily-for-contact-form-7.js

Version Parameters

smaily-for-contact-form-7/admin/css/smaily-for-contact-form-7-admin.css?ver=smaily-for-contact-form-7/admin/js/smaily-for-contact-form-7-admin.js?ver=smaily-for-contact-form-7/includes/js/smaily-for-contact-form-7.js?ver=

HTML / DOM Fingerprints

CSS Classes

smaily-for-cf7-admin-deprecation-notice

HTML Comments

JS Globals

smaily_for_cf7_dismiss_deprecation_noticesmaily_for_cf7_dismiss_deprecation_notice_nonce

FAQ