WP-Safety

SureForms – Contact Form, Payment Form & Other Custom Form Builder Security & Risk Analysis

wordpress.org/plugins/sureforms

The most beginner-friendly, AI Form Builder for WordPress to create contact forms, payment forms & other custom forms with advanced features, with …

400K active installs v2.5.2 PHP 7.4+ WP 6.4+ Updated Mar 12, 2026
contact-formcustom-formsform-builderformspayment-form
88
A · Safe
CVEs total15
Unpatched0
Last CVEFeb 15, 2026
Plugin page Download
Safety Verdict

Is SureForms – Contact Form, Payment Form & Other Custom Form Builder Safe to Use in 2026?

Generally Safe

Score 88/100

SureForms – Contact Form, Payment Form & Other Custom Form Builder has a strong security track record. Known vulnerabilities have been patched promptly.

15 known CVEsLast CVE: Feb 15, 2026Updated 22d ago
Risk Assessment

The SureForms plugin, version 2.5.2, exhibits a mixed security posture. On the positive side, it demonstrates strong adherence to secure coding practices, with a high percentage of SQL queries using prepared statements and output being properly escaped. The absence of dangerous functions and bundled libraries further contributes to a generally robust codebase. However, significant concerns arise from the attack surface and vulnerability history.

Specifically, the plugin presents 40 entry points, with 8 of them lacking authentication checks, including one AJAX handler and seven REST API routes. This is a notable weakness. The taint analysis, while limited in scope, did identify one high-severity flow, suggesting a potential pathway for exploitation if not properly mitigated. The plugin's history of 15 known CVEs, although none are currently unpatched, with a significant number categorized as high severity and common vulnerability types like Missing Authorization and Improper Input Validation, indicates a recurring pattern of security flaws. This history suggests a potential for new vulnerabilities to emerge, especially given the identified unprotected entry points.

In conclusion, while SureForms shows good practices in fundamental secure coding, the substantial number of unprotected entry points and a history rife with authorization and input validation issues present a tangible risk. The plugin's strengths in prepared statements and output escaping are commendable, but they are overshadowed by the potential for attackers to leverage the unprotected attack surface and past vulnerability trends. Continued vigilance and thorough security reviews are recommended.

Key Concerns

  • Unprotected AJAX handlers
  • Unprotected REST API routes
  • High severity taint flow
  • History of 4 high severity CVEs
  • History of 11 medium severity CVEs
  • Common vulnerability: Missing Authorization
  • Common vulnerability: Improper Input Validation
Vulnerabilities
15

SureForms – Contact Form, Payment Form & Other Custom Form Builder Security Vulnerabilities

CVEs by Year

13 CVEs in 2025
2025
2 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

High
4
Medium
11

15 total CVEs

WF-061a14bf-d067-4924-b2f4-2f5986204532-sureformsmedium · 5.3Missing Authorization

SureForms <= 2.2.1 - Missing Authorization

Feb 15, 2026 Patched in 2.2.2 (10d)
WF-8b0e0f22-de42-4da9-a0c1-ae41ba57be03-sureformshigh · 7.5Improper Input Validation

SureForms – Drag and Drop Form Builder for WordPress <= 2.2.1 - Unauthenticated Stripe Payment Amount Manipulation

Feb 13, 2026 Patched in 2.2.2 (0d)
CVE-2025-14855high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SureForms <= 2.2.0 - Unauthenticated Stored Cross-Site Scripting

Dec 20, 2025 Patched in 2.2.1 (1d)
CVE-2025-12535medium · 5.3Cross-Site Request Forgery (CSRF)

SureForms <= 1.13.1 - Cross-Site Request Forgery Protection Bypass via Improper Nonce Distribution

Nov 18, 2025 Patched in 1.13.2 (1d)
CVE-2025-12536medium · 5.3Exposure of Private Personal Information to an Unauthorized Actor

SureForms <= 1.13.1 - Missing Authorization to Unauthenticated Sensitive Information Exposure

Nov 12, 2025 Patched in 1.13.2 (2d)
CVE-2025-10732medium · 4.3Missing Authorization

SureForms – Drag and Drop Form Builder for WordPress <= 1.12.1 - Missing Authorization to Authenticated (Contributor+) Information Disclosure

Oct 13, 2025 Patched in 1.12.2 (1d)
CVE-2025-10489medium · 4.3Missing Authorization

SureForms – Drag and Drop Form Builder for WordPress <= 1.12.0 - Missing Authorization to Authenticated (Contributor+) Form Creation

Sep 19, 2025 Patched in 1.12.1 (1d)
CVE-2025-8282medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SureForms – Drag and Drop Form Builder for WordPress <= 1.9.0 - Authenticated (Admin+) Stored Cross-Site Scripting

Sep 2, 2025 Patched in 1.9.1 (24d)
CVE-2025-5921medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SureForms <= 1.7.1 - Reflected Cross-Site Scripting

Jul 11, 2025 Patched in 1.7.2 (11d)
CVE-2025-6691high · 8.1External Control of File Name or Path

SureForms – Drag and Drop Form Builder for WordPress <= 1.7.3 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Submission Deletion

Jul 8, 2025 Patched in 0.0.14 (1d)
CVE-2025-6742high · 7.5Deserialization of Untrusted Data

SureForms – Drag and Drop Form Builder for WordPress <= 1.7.3 - Unauthenticated PHP Object Injection (PHAR) Triggered via Admin Submission Deletion

Jul 8, 2025 Patched in 0.0.14 (1d)
CVE-2025-3513medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SureForms <= 1.4.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Apr 11, 2025 Patched in 1.4.4 (25d)
CVE-2025-3514medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SureForms <= 1.4.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Apr 11, 2025 Patched in 1.4.4 (56d)
CVE-2025-3471medium · 4.3Incorrect Authorization

SureForms – Drag and Drop Form Builder for WordPress <= 1.4.3 - Missing Authorization to Authenticated (Contributor+) Settings Update

Apr 9, 2025 Patched in 1.4.4 (58d)
CVE-2024-12713medium · 5.3Missing Authorization

SureForms – Drag and Drop Form Builder for WordPress <= 1.2.2 - Missing Authorization to Unauthenticated Protected Post Disclosure

Jan 7, 2025 Patched in 1.2.3 (1d)
Code Analysis
Analyzed Mar 16, 2026

SureForms – Contact Form, Payment Form & Other Custom Form Builder Code Analysis

Dangerous Functions
0
Raw SQL Queries
2
51 prepared
Unescaped Output
46
1439 escaped
Nonce Checks
53
Capability Checks
22
File Operations
17
External Requests
12
Bundled Libraries
0

SQL Query Safety

96% prepared53 total queries

Output Escaping

97% escaped1485 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

7 flows2 with unsanitized paths
handle_form_submission (inc\form-submit.php:281)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
8 unprotected

SureForms – Contact Form, Payment Form & Other Custom Form Builder Attack Surface

Entry Points40
Unprotected8

AJAX Handlers 27

authwp_ajax_should_show_pointeradmin\admin.php:117
authwp_ajax_sureforms_dismiss_pointeradmin\admin.php:118
authwp_ajax_sureforms_accept_ctaadmin\admin.php:119
authwp_ajax_srfm_notice_responseadmin\admin.php:120
authwp_ajax_sureforms_recommended_plugin_activateinc\admin-ajax.php:37
authwp_ajax_sureforms_recommended_plugin_installinc\admin-ajax.php:38
authwp_ajax_sureforms_integrationinc\admin-ajax.php:39
authwp_ajax_srfm_download_exportinc\admin-ajax.php:40
authwp_ajax_validation_ajax_actioninc\form-submit.php:56
noprivwp_ajax_validation_ajax_actioninc\form-submit.php:57
authwp_ajax_srfm_global_update_allowed_blockinc\form-submit.php:59
authwp_ajax_srfm_global_sidebar_enabledinc\form-submit.php:60
authwp_ajax_srfm_fetch_payments_transactionsinc\payments\admin\admin-handler.php:35
authwp_ajax_srfm_fetch_single_paymentinc\payments\admin\admin-handler.php:36
authwp_ajax_srfm_fetch_subscriptioninc\payments\admin\admin-handler.php:37
authwp_ajax_srfm_fetch_forms_listinc\payments\admin\admin-handler.php:38
authwp_ajax_srfm_add_payment_noteinc\payments\admin\admin-handler.php:39
authwp_ajax_srfm_delete_payment_noteinc\payments\admin\admin-handler.php:40
authwp_ajax_srfm_delete_payment_loginc\payments\admin\admin-handler.php:41
authwp_ajax_srfm_bulk_delete_paymentsinc\payments\admin\admin-handler.php:42
authwp_ajax_srfm_refund_paymentinc\payments\admin\admin-handler.php:43
authwp_ajax_srfm_create_payment_intentinc\payments\front-end.php:41
noprivwp_ajax_srfm_create_payment_intentinc\payments\front-end.php:42
authwp_ajax_srfm_create_subscription_intentinc\payments\front-end.php:43
noprivwp_ajax_srfm_create_subscription_intentinc\payments\front-end.php:44
authwp_ajax_srfm_stripe_cancel_subscriptioninc\payments\stripe\admin-stripe-handler.php:46
authwp_ajax_srfm_stripe_pause_subscriptioninc\payments\stripe\admin-stripe-handler.php:47

REST API Routes 12

POST/wp-json/sureforms/v1/create-new-forminc\create-new-form.php:43
GET/wp-json/sureforms/v1/forms-datainc\forms-data.php:44
GET/wp-json/sureforms/v1/generate-form-markupinc\generate-form-markup.php:41
POST/wp-json/sureforms/v1/send-test-email-summaryinc\global-settings\email-summary.php:42
GET/wp-json/sureforms/v1/get-learn-chaptersinc\learn.php:320
GET/wp-json/sureforms/v1/update-learn-progressinc\learn.php:332
GET/wp-json/sureforms/v1/payments/stripe-connectinc\payments\stripe\payments-settings.php:91
GET/wp-json/sureforms/v1/payments/stripe-disconnectinc\payments\stripe\payments-settings.php:103
GET/wp-json/sureforms/v1/payments/stripe-callbackinc\payments\stripe\payments-settings.php:115
GET/wp-json/sureforms/v1/payments/create-payment-webhookinc\payments\stripe\payments-settings.php:127
POST/wp-json/sureforms/webhook_testinc\payments\stripe\stripe-webhook.php:62
POST/wp-json/sureforms/webhook_liveinc\payments\stripe\stripe-webhook.php:75

Shortcodes 1

[sureforms] inc\post-types.php:37
WordPress Hooks 117
actionadmin_menuadmin\admin.php:73
actionadmin_enqueue_scriptsadmin\admin.php:74
actionadmin_menuadmin\admin.php:75
actionadmin_menuadmin\admin.php:76
actionadmin_menuadmin\admin.php:77
actionadmin_menuadmin\admin.php:78
actionadmin_menuadmin\admin.php:80
actionadmin_footeradmin\admin.php:81
filterplugin_action_linksadmin\admin.php:84
actionenqueue_block_assetsadmin\admin.php:85
actionadmin_headadmin\admin.php:86
filteradmin_body_classadmin\admin.php:87
actionuag_enable_quick_action_sidebaradmin\admin.php:90
actioncurrent_screenadmin\admin.php:92
actionadmin_initadmin\admin.php:94
actionadmin_noticesadmin\admin.php:96
filteravf_use_block_editor_for_postadmin\admin.php:99
actionadmin_menuadmin\admin.php:108
actionadmin_menuadmin\admin.php:111
filterwpforms_current_user_canadmin\admin.php:113
actionadmin_enqueue_scriptsadmin\admin.php:115
actionadmin_initadmin\admin.php:123
actionadmin_initadmin\admin.php:126
actionadmin_noticesadmin\admin.php:127
actionadmin_noticesadmin\admin.php:128
filteruse_block_editor_for_post_typeadmin\admin.php:283
filtergutenberg_can_edit_post_typeadmin\admin.php:284
actionastra_notice_after_markup_srfm-plugin-review-noticeadmin\admin.php:1402
actionastra_notice_after_markup_srfm-getting-started-noticeadmin\admin.php:1446
actionwp_dashboard_setupadmin\admin.php:1682
filteruds_survey_allowed_screensadmin\analytics.php:44
filterbsf_core_statsadmin\analytics.php:80
actioncurrent_screenadmin\analytics.php:83
actiontransition_post_statusadmin\analytics.php:84
filtersrfm_admin_filteradmin\notice-manager.php:47
actionwp_abilities_api_categories_initinc\abilities\abilities-registrar.php:54
actionwp_abilities_api_initinc\abilities\abilities-registrar.php:55
actionrest_api_initinc\background-process.php:58
filterastra_menu_priorityinc\compatibility\themes\astra.php:32
actionrest_api_initinc\create-new-form.php:33
actioninitinc\events-scheduler.php:27
filtersrfm_show_conversational_form_footerinc\form-restriction.php:95
actionrest_api_initinc\form-submit.php:55
filterwp_mail_content_typeinc\form-submit.php:908
actionrest_api_initinc\forms-data.php:34
filtertemplate_includeinc\frontend-assets.php:69
actionwp_enqueue_scriptsinc\frontend-assets.php:70
filterrender_blockinc\frontend-assets.php:71
actionrest_api_initinc\generate-form-markup.php:31
actionsrfm_weekly_scheduled_eventsinc\global-settings\email-summary.php:30
actionrest_api_initinc\global-settings\email-summary.php:31
actionrest_api_initinc\global-settings\global-settings.php:41
actionenqueue_block_editor_assetsinc\gutenberg-hooks.php:49
actionenqueue_block_editor_assetsinc\gutenberg-hooks.php:50
filterblock_categories_allinc\gutenberg-hooks.php:51
filterallowed_block_types_allinc\gutenberg-hooks.php:52
actionsave_post_sureforms_forminc\gutenberg-hooks.php:53
actionload-post.phpinc\gutenberg-hooks.php:54
filtersafe_style_cssinc\helper.php:1504
actionrest_api_initinc\learn.php:31
actioninitinc\page-builders\bricks\service-provider.php:27
filterbricks/builder/i18ninc\page-builders\bricks\service-provider.php:40
actionelementor/widgets/registerinc\page-builders\elementor\service-provider.php:32
actionelementor/elements/categories_registeredinc\page-builders\elementor\service-provider.php:33
actionelementor/editor/before_enqueue_scriptsinc\page-builders\elementor\service-provider.php:34
actionadmin_enqueue_scriptsinc\payments\admin\admin-handler.php:34
filtersrfm_form_submit_datainc\payments\front-end.php:45
actionsrfm_form_submitinc\payments\front-end.php:46
filtersrfm_show_options_valuesinc\payments\front-end.php:47
filtersrfm_all_data_field_rowinc\payments\front-end.php:48
filtersrfm_map_slug_to_submission_data_should_skipinc\payments\front-end.php:49
filtersrfm_should_skip_field_from_sample_datainc\payments\front-end.php:50
filtersrfm_ai_form_generator_bodyinc\payments\payments.php:46
filtersrfm_process_transaction_refundinc\payments\stripe\admin-stripe-handler.php:49
actionadmin_noticesinc\payments\stripe\admin-stripe-handler.php:51
actionrest_api_initinc\payments\stripe\payments-settings.php:32
filtersrfm_global_settings_datainc\payments\stripe\payments-settings.php:33
actionadmin_initinc\payments\stripe\payments-settings.php:34
filtersrfm_entry_valueinc\payments\stripe\payments-settings.php:35
actionrest_api_initinc\payments\stripe\stripe-webhook.php:51
actioninitinc\post-types.php:35
actioninitinc\post-types.php:36
actionmanage_posts_extra_tablenavinc\post-types.php:38
actionadmin_bar_menuinc\post-types.php:39
actiontemplate_redirectinc\post-types.php:40
actiontemplate_redirectinc\post-types.php:41
actionload-edit.phpinc\post-types.php:42
filterrest_prepare_sureforms_forminc\post-types.php:44
actionadmin_bar_menuinc\post-types.php:45
filterrank_math/excluded_post_typesinc\post-types.php:1269
filteraioseo_public_post_typesinc\post-types.php:1332
actioncmb2_admin_initinc\post-types.php:1376
filterwpseo_accessible_post_typesinc\post-types.php:1379
filterwpseo_metabox_prioinc\post-types.php:1380
actionrest_api_initinc\rest-api.php:44
filterposts_searchinc\rest-api.php:207
actionsrfm_daily_scheduled_actioninc\single-form-settings\compliance-settings.php:29
filterrender_blockinc\smart-tags.php:33
actioninitinc\updater.php:48
actionadmin_enqueue_scriptsinc\updater.php:49
filterfilesystem_methodmodules\gutenberg\classes\class-spec-filesystem.php:53
filterrequest_filesystem_credentialsmodules\gutenberg\classes\class-spec-filesystem.php:54
actioninitmodules\gutenberg\classes\class-spec-gb-helper.php:160
actionet_after_main_contentmodules\gutenberg\classes\class-spec-gb-helper.php:165
actionwpmodules\gutenberg\classes\class-spec-gb-helper.php:167
filterrender_blockmodules\gutenberg\classes\class-spec-gb-helper.php:170
actionwp_enqueue_scriptsmodules\gutenberg\classes\class-spec-gb-helper.php:247
actionwp_headmodules\gutenberg\classes\class-spec-gb-helper.php:248
actionwp_headmodules\gutenberg\classes\class-spec-gb-helper.php:249
actionwp_footermodules\gutenberg\classes\class-spec-gb-helper.php:250
actionenqueue_block_assetsmodules\gutenberg\classes\class-spec-init-blocks.php:61
actionenqueue_block_editor_assetsmodules\gutenberg\classes\class-spec-init-blocks.php:64
actionenqueue_block_editor_assetsmodules\gutenberg\classes\class-spec-spectra-compatibility.php:46
actionplugins_loadedplugin-loader.php:81
actionplugins_loadedplugin-loader.php:82
actioninitplugin-loader.php:83
actionadmin_initplugin-loader.php:84
Maintenance & Trust

SureForms – Contact Form, Payment Form & Other Custom Form Builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 12, 2026
PHP min version7.4
Downloads2.8M

Community Trust

Rating96/100
Number of ratings69
Active installs400K
Alternatives

SureForms – Contact Form, Payment Form & Other Custom Form Builder Alternatives

Kali Forms — Contact Form & Drag-and-Drop Builder

Kali Forms — Contact Form & Drag-and-Drop Builder

kali-forms

A
88

Build contact forms for your WordPress website in minutes through the Drag & Drop builder and Guided Emails for entries notifications.

20K 10 CVEs
FormFacade – Embed Google Forms in your website

FormFacade – Embed Google Forms in your website

formfacade

B
72

Embed Google Forms™ in your wordpress site

1K 1 unpatched
فرم ساز فرم افزار

فرم ساز فرم افزار

formafzar

A
91

ابزاری آسان برای ساخت فرم‌های آنلاین قدرتمند بصورت حرفه‌ای، به آسانی و کمتر از چند دقیقه فرم خودتون رو بسازید و به اشتراک بگذارید

600 1 CVE
Paperform Form Builder – Contact Forms, Ecommerce And Product Pages, Surveys

Paperform Form Builder – Contact Forms, Ecommerce And Product Pages, Surveys

paperform-form-builder

A
85

Create beautiful branded online forms in Paperform and use this plugin to quickly and easily embed them on multiple WordPress pages and sites.

300 No CVEs
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

A
90

The best WordPress contact form plugin. Drag & Drop form builder to create beautiful contact forms, payment forms, & other custom forms.

6.0M 13 CVEs
Developer Profile

SureForms – Contact Form, Payment Form & Other Custom Form Builder Developer Profile

Brainstorm Force

32 plugins · 8.6M total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
196 days
View full developer profile
Detection Fingerprints

How We Detect SureForms – Contact Form, Payment Form & Other Custom Form Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/sureforms/assets/css/admin-style.css/wp-content/plugins/sureforms/assets/js/admin-script.js/wp-content/plugins/sureforms/assets/css/frontend.css/wp-content/plugins/sureforms/assets/js/frontend.js/wp-content/plugins/sureforms/assets/js/scripts.js/wp-content/plugins/sureforms/assets/css/magnific-popup.css/wp-content/plugins/sureforms/assets/js/jquery.magnific-popup.min.js/wp-content/plugins/sureforms/assets/js/admin-pointer.js+2 more
Script Paths
/wp-content/plugins/sureforms/assets/js/admin-script.js/wp-content/plugins/sureforms/assets/js/frontend.js/wp-content/plugins/sureforms/assets/js/scripts.js/wp-content/plugins/sureforms/assets/js/jquery.magnific-popup.min.js/wp-content/plugins/sureforms/assets/js/admin-pointer.js/wp-content/plugins/sureforms/assets/js/vue-components/dist/main.js
Version Parameters
sureforms/assets/css/admin-style.css?ver=sureforms/assets/js/admin-script.js?ver=sureforms/assets/css/frontend.css?ver=sureforms/assets/js/frontend.js?ver=sureforms/assets/js/scripts.js?ver=sureforms/assets/css/magnific-popup.css?ver=sureforms/assets/js/jquery.magnific-popup.min.js?ver=sureforms/assets/js/admin-pointer.js?ver=sureforms/assets/js/vue-components/dist/main.js?ver=sureforms/assets/css/vue-components/dist/style.css?ver=

HTML / DOM Fingerprints

CSS Classes
sr-form-buildersr-form-editorsr-form-settingssr-form-entriessr-form-dashboardsr-form-fieldsr-form-layoutsr-form-preview+7 more
HTML Comments
<!-- sureforms-upgrade-to-pro --><!-- SRFM_FORMS_POST_TYPE --><!-- SRFM_ENTRIES --><!-- SRFM_PAYMENTS -->+9 more
Data Attributes
data-noncedata-plugin-slugdata-admin-urldata-ajax-urldata-form-iddata-pointer-target+5 more
JS Globals
SureFormsSRFM_AJAX_URLSRFM_NONCESRFM_FORM_BUILDER_URLSRFM_Admin_PointerSRFM_Vue_App
REST Endpoints
/wp-json/sureforms/v1/forms/wp-json/sureforms/v1/entries/wp-json/sureforms/v1/settings/wp-json/sureforms/v1/forms/(?P<id>[\d]+)/wp-json/sureforms/v1/entries/(?P<id>[\d]+)/wp-json/sureforms/v1/payments/stripe/webhook/wp-json/sureforms/v1/payments/paypal/webhook/wp-json/sureforms/v1/admin/pointer/should-show/wp-json/sureforms/v1/admin/pointer/dismiss/wp-json/sureforms/v1/admin/pointer/accept-cta/wp-json/sureforms/v1/admin/notice/response/wp-json/sureforms/v1/ai-form-builder/generate
Shortcode Output
[sureforms id=""][sureforms_entries id=""][sureforms_payment_form id=""]
FAQ

Frequently Asked Questions about SureForms – Contact Form, Payment Form & Other Custom Form Builder