WP-Safety

Spark GF Failed Submissions Security & Risk Analysis

wordpress.org/plugins/spark-gf-failed-submissions

Track failed form submissions and get notified when they reach a customisable threshold. Requires Gravity Forms.

70 active installs v1.3.6 PHP 7.0+ WP 3.0.1+ Updated Dec 4, 2025
failed-submissionsgravity-formsloggingvalidation
99
A · Safe
CVEs total1
Unpatched0
Last CVEApr 10, 2025
Download
Safety Verdict

Is Spark GF Failed Submissions Safe to Use in 2026?

Generally Safe

Score 99/100

Spark GF Failed Submissions has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Apr 10, 2025Updated 4mo ago
Risk Assessment

The spark-gf-failed-submissions plugin exhibits a mixed security posture. On the positive side, the static analysis reveals a lack of direct attack vectors like AJAX handlers, REST API routes, or shortcodes without proper authentication or permission checks. The absence of dangerous functions, file operations, and external HTTP requests is also encouraging. However, concerns arise from the code signals. With 22 SQL queries, 68% using prepared statements is acceptable but not ideal, leaving room for potential injection flaws if the remaining queries are not handled carefully. The most significant weakness is the low rate of proper output escaping at only 37%, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities where user-supplied data might be reflected in the output without adequate sanitization.

The vulnerability history shows one past medium-severity CVE related to XSS, which aligns with the static analysis findings regarding output escaping. While there are no currently unpatched vulnerabilities, the existence of a past XSS issue and the low output escaping rate suggest that this type of vulnerability could be a recurring problem for this plugin. The lack of capability checks on any entry points is a notable omission, potentially allowing unauthorized users to trigger plugin functionality if such entry points were to be discovered or added in the future. The current analysis doesn't highlight critical taint flows, which is a positive sign, but the low output escaping rate remains a significant concern.

In conclusion, while the plugin benefits from a limited attack surface and the absence of certain dangerous code patterns, the insufficient output escaping is a critical weakness that significantly increases the risk of XSS attacks. The historical presence of an XSS vulnerability further reinforces this concern. Addressing the output escaping and ensuring robust capability checks for any future entry points would greatly improve the plugin's security. The current version appears to have patched its past known vulnerability, but the underlying code quality regarding output sanitization needs improvement.

Key Concerns

  • Low output escaping rate
  • Medium severity CVE in history
  • SQL queries not always prepared
  • No capability checks on entry points
Vulnerabilities
1

Spark GF Failed Submissions Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-32670medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Spark GF Failed Submissions <= 1.3.5 - Reflected Cross-Site Scripting

Apr 10, 2025 Patched in 1.3.6 (29d)
Code Analysis
Analyzed Mar 16, 2026

Spark GF Failed Submissions Code Analysis

Dangerous Functions
0
Raw SQL Queries
7
15 prepared
Unescaped Output
47
28 escaped
Nonce Checks
1
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

68% prepared22 total queries

Output Escaping

37% escaped75 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
admin_page (includes\class-spark-gf-failed-submissions-gfaddon.php:486)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Spark GF Failed Submissions Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 13
filtergform_validationincludes\class-spark-gf-failed-submissions-gfaddon.php:47
filtergform_validationincludes\class-spark-gf-failed-submissions-gfaddon.php:48
actiongform_form_actionsincludes\class-spark-gf-failed-submissions-gfaddon.php:51
filtergform_toolbar_menuincludes\class-spark-gf-failed-submissions-gfaddon.php:52
filtergform_addon_navigationincludes\class-spark-gf-failed-submissions-gfaddon.php:53
filtergform_validation_messageincludes\class-spark-gf-failed-submissions-gfaddon.php:300
actionplugins_loadedincludes\class-spark-gf-failed-submissions.php:134
actiongform_loadedincludes\class-spark-gf-failed-submissions.php:143
actionadmin_initincludes\class-spark-gf-failed-submissions.php:157
actionwpmu_new_blogincludes\class-spark-gf-failed-submissions.php:158
filterwpmu_drop_tablesincludes\class-spark-gf-failed-submissions.php:159
actioninitincludes\class-spark-gf-failed-submissions.php:180
actionswitch_blogincludes\class-spark-gf-failed-submissions.php:181
Maintenance & Trust

Spark GF Failed Submissions Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 4, 2025
PHP min version7.0
Downloads8K

Community Trust

Rating80/100
Number of ratings1
Active installs70
Alternatives

Spark GF Failed Submissions Alternatives

Real Time Validation for Gravity Forms

Real Time Validation for Gravity Forms

real-time-validation-for-gravity-forms

F
24

Real Time Validation for Gravity Forms increases conversion rates of your Gravity Form using inline validation messages as user types in field.

2K 3 unpatched
Reject Urls And Emails In Textarea For (Gravity Forms)

Reject Urls And Emails In Textarea For (Gravity Forms)

reject-urls-and-emails-in-textarea

A
85

Prevent URLS & Emails in gravity forms textarea fields.

700 No CVEs
Real Time Validation For Gravity Forms

Real Time Validation For Gravity Forms

gf-real-time-validation

A
100

This plugin adds an awesome feature that provides instant feedback and guidance in each field, helps prevent errors.

500 No CVEs
BSK Forms Validation

BSK Forms Validation

bsk-gravity-forms-custom-validation

A
99

This plugin helps you to validate user input and let users submit correct data on Gravity Forms, Formidable Forms. You can apply the defined users to &hellip;

100 1 CVE
Gravity Forms Reject Disposable Emails

Gravity Forms Reject Disposable Emails

gravity-forms-reject-disposable-emails

A
85

Reject disposable email addresses in Gravity Forms email fields.

10 No CVEs
Developer Profile

Spark GF Failed Submissions Developer Profile

Mark Parnell

1 plugin · 70 total installs

93
trust score
Avg Security Score
99/100
Avg Patch Time
29 days
View full developer profile
Detection Fingerprints

How We Detect Spark GF Failed Submissions

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/spark-gf-failed-submissions/css/spark-gf-failed-submissions-admin.css/wp-content/plugins/spark-gf-failed-submissions/js/spark-gf-failed-submissions-admin.js
Script Paths
/wp-content/plugins/spark-gf-failed-submissions/js/spark-gf-failed-submissions-admin.js
Version Parameters
spark-gf-failed-submissions/css/spark-gf-failed-submissions-admin.css?ver=spark-gf-failed-submissions/js/spark-gf-failed-submissions-admin.js?ver=

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about Spark GF Failed Submissions