Does Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent have any unpatched vulnerabilities?

Yes — Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent currently has 2 unpatched vulnerabilities. We recommend switching to an alternative or applying any available workarounds.

Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent Security & Risk Analysis

wordpress.org/plugins/tablesome

Powerful Table, Form & Mail Automations. Form Entry Management (+ frontend table ), integrate with MailChimp, G Sheets, CF7, WPForms, Elementor, etc.

8K active installs v1.2.6 PHP 7.0+ WP 6.7+ Updated Mar 13, 2026

contact-form-7emailredirecttablewpforms

D · High Risk

CVEs total11

Unpatched2

Last CVEFeb 24, 2026

Plugin page Download

Safety Verdict

Is Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent Safe to Use in 2026?

High Risk

Score 37/100

Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent carries significant security risk with 11 known CVEs, 2 still unpatched. Consider switching to a maintained alternative.

11 known CVEs 2 unpatched Last CVE: Feb 24, 2026Updated 21d ago

Risk Assessment

Tablesome v1.2.6 presents a mixed security posture. While the code demonstrates good practices with a high percentage of prepared SQL statements and properly escaped output, several significant concerns remain. The static analysis reveals a notable attack surface with 7 AJAX handlers, 4 of which lack authentication checks. This is a critical oversight that could allow unauthorized actions. The taint analysis is clean, which is positive, but it only analyzed a single flow, suggesting this might not be a comprehensive assessment of potential vulnerabilities.

Key Concerns

4 unprotected AJAX handlers
2 currently unpatched CVEs
1 critical, 1 high historical CVE
History of diverse vulnerability types
Bundled Freemius library
Large number of SQL queries

Vulnerabilities

Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

3 CVEs in 2024

2024

4 CVEs in 2025

2025

3 CVEs in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

11 total CVEs

CVE-2026-27373medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent <= 1.2.3 - Authenticated (Subscriber+) SQL Injection

Feb 24, 2026Unpatched

CVE-2025-12845high · 8.8Missing Authorization

Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent 0.5.4 - 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Information Exposure and Privilege Escalation

Feb 18, 2026 Patched in 1.2.2 (1d)

CVE-2026-24524medium · 4.3Missing Authorization

Tablesome <= 1.2.2 - Missing Authorization

Jan 26, 2026Unpatched

CVE-2025-68516medium · 6.5Exposure of Sensitive Information to an Unauthorized Actor

Tablesome <= 1.1.35.1 - Authenticated (Subscriber+) Information Exposure

Dec 22, 2025 Patched in 1.1.35.2 (16d)

CVE-2025-68517medium · 4.3Missing Authorization

Tablesome <= 1.1.35.1 - Missing Authorization

Dec 22, 2025 Patched in 1.1.35.2 (16d)

CVE-2025-66526medium · 4.3Missing Authorization

Tablesome <= 1.1.34 - Missing Authorization

Dec 5, 2025 Patched in 1.1.35.1 (7d)

CVE-2025-11499critical · 9.8Unrestricted Upload of File with Dangerous Type

Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent <= 1.1.32 - Unauthenticated Arbitrary File Upload

Oct 31, 2025 Patched in 1.3.33 (1d)

CVE-2024-37498medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Table & Contact Form 7 Database – Tablesome <= 1.0.33 - Unauthenticated Sensitive Information Exposure

Jul 4, 2024 Patched in 1.0.34 (8d)

CVE-2024-31388medium · 4.3Cross-Site Request Forgery (CSRF)

Table & Contact Form 7 Database – Tablesome <= 1.0.25 - Cross-Site Request Forgery

Apr 10, 2024 Patched in 1.0.26 (7d)

CVE-2024-29110medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Table & Contact Form 7 Database – Tablesome <= 1.0.27 - Reflected Cross-Site Scripting

Mar 16, 2024 Patched in 1.0.28 (5d)

CVE-2023-1890medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Tablesome <= 1.0.8 - Reflected Cross-Site Scripting

Apr 19, 2023 Patched in 1.0.9 (279d)

Code Analysis

Analyzed Mar 16, 2026

Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent Code Analysis

Dangerous Functions

Raw SQL Queries

70 prepared

Unescaped Output

164 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Freemius

SQL Query Safety

92% prepared76 total queries

Output Escaping

96% escaped170 total outputs

Data Flows

All sanitized

Data Flow Analysis

1 flows

<actions> (includes\actions.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

4 unprotected

Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent Attack Surface

Entry Points9

Unprotected4

AJAX Handlers 7

authwp_ajax_store_tablesome_dataincludes\ajax-handler.php:15

authwp_ajax_get_tables_dataincludes\ajax-handler.php:22

authwp_ajax_get_table_columnsincludes\ajax-handler.php:25

authwp_ajax_update_feature_notice_dismissal_data_via_ajaxincludes\ajax-handler.php:27

authwp_ajax_get_redirection_dataincludes\ajax-handler.php:29

noprivwp_ajax_get_redirection_dataincludes\ajax-handler.php:30

authwp_ajax_tablesome_dismiss_oauth_noticeincludes\modules\oauth-health-monitor.php:60

Shortcodes 2

[tablesome] includes\shortcodes.php:16

[tablesome_get_params] includes\shortcodes.php:17

WordPress Hooks 74

filtertablesome_get_cell_datacomponents\cell-types\button.php:10

filtertablesome_get_cell_datacomponents\cell-types\date.php:10

filtertablesome_get_cell_datacomponents\cell-types\email.php:10

filtertablesome_get_cell_datacomponents\cell-types\file\controller.php:16

filtertablesome_get_cell_datacomponents\cell-types\text.php:13

filtertablesome_get_cell_datacomponents\cell-types\textarea.php:10

filtertablesome_get_cell_datacomponents\cell-types\url.php:11

filterposts_wherecomponents\table\other-cpt-model.php:89

actionadmin_noticescomponents\table\quick-actions.php:112

actioninitincludes\actions.php:36

actionrest_api_initincludes\actions.php:38

actionadmin_enqueue_scriptsincludes\actions.php:40

actionwp_enqueue_scriptsincludes\actions.php:42

actionadmin_menuincludes\actions.php:45

actionadmin_menuincludes\actions.php:46

actionadmin_menuincludes\actions.php:47

actionadmin_menuincludes\actions.php:48

actionadmin_initincludes\actions.php:51

actionadmin_initincludes\actions.php:52

actionadmin_initincludes\actions.php:53

actioninitincludes\actions.php:59

actionload-post-new.phpincludes\actions.php:60

actionadmin_enqueue_scriptsincludes\actions.php:61

actionwp_enqueue_scriptsincludes\actions.php:62

actionadmin_bar_menuincludes\actions.php:63

actionelementor/editor/before_enqueue_scriptsincludes\actions.php:65

actionbefore_delete_postincludes\actions.php:66

actiontablesome/send_data_to_amplitudeincludes\actions.php:79

actionadmin_action_duplicate_the_tablesome_tableincludes\actions.php:80

actionadmin_action_empty_the_tablesome_tableincludes\actions.php:86

actionadmin_action_create_new_email_logs_trigger_tableincludes\actions.php:92

actionadmin_action_publish_tableincludes\actions.php:98

actionadmin_action_redirect_to_tableincludes\actions.php:104

actionadmin_footerincludes\actions.php:110

actionadmin_footerincludes\actions.php:111

actionwp_footerincludes\actions.php:112

actionwp_footerincludes\actions.php:113

actionafter_license_changeincludes\actions.php:278

filterget_edit_post_linkincludes\actions.php:288

actionadmin_noticesincludes\actions.php:1050

actioninitincludes\blocks\tablesome-shortcode.php:24

actionenqueue_block_editor_assetsincludes\blocks\tablesome-shortcode.php:25

actionenqueue_block_editor_assetsincludes\blocks\tablesome-shortcode.php:27

actioninitincludes\cpt.php:24

actiontablesome_before_get_rowsincludes\debug\large-table-diagnostics.php:41

actiontablesome_after_get_rowsincludes\debug\large-table-diagnostics.php:42

actionshutdownincludes\debug\large-table-diagnostics.php:43

filterthe_contentincludes\filters.php:14

filtercustom_menu_orderincludes\filters.php:16

filtertablesome_dataincludes\filters.php:18

filtertablesome_sanitizing_the_array_valuesincludes\filters.php:20

filtercron_schedulesincludes\filters.php:30

filterwp_check_filetype_and_extincludes\filters.php:32

filterpost_row_actionsincludes\filters.php:34

filtereeb/validate/is_post_excludedincludes\filters.php:209

actionadmin_noticesincludes\modules\feature-notice.php:27

actionadmin_noticesincludes\modules\oauth-health-monitor.php:52

actionadmin_bar_menuincludes\modules\oauth-health-monitor.php:55

actionadmin_headincludes\modules\oauth-health-monitor.php:56

actionwp_headincludes\modules\oauth-health-monitor.php:57

actionadmin_action_tablesome_oauth_health_checkincludes\modules\oauth-health-monitor.php:63

actionadmin_noticesincludes\modules\review-notification.php:136

actiontablesome_automation/add_logincludes\modules\workflow\event-log\event-log.php:30

filtertablesome_form_submission_dataincludes\modules\workflow\workflow-manager.php:47

filtertablesome_column_formatsincludes\plugins\dropdown\dropdown.php:14

filtertablesome_column_optionsincludes\plugins\dropdown\dropdown.php:15

actioncsf_loadedincludes\settings\settings.php:18

actioninitincludes\shortcode-builder\builder.php:17

actionadmin_noticesincludes\tracking\notices.php:16

actioninittablesome.php:41

actionadmin_noticestablesome.php:99

actionadmin_noticestablesome.php:101

actiontablesome_before_table_loadworkflow-library\actions\gsheet-load-from.php:26

actionwpforms_frontend_confirmation_message_afterworkflow-library\triggers\wp-forms.php:50

Maintenance & Trust

Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 13, 2026

PHP min version7.0

Downloads370K

Community Trust

Rating96/100

Number of ratings85

Active installs8K

Alternatives

Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent Alternatives

Integration for Airtable – WPForms, Gravity Forms, CF7, Ninja Forms & More

integration-for-airtable

100

Send WordPress form submissions to Airtable automatically. Map form fields to Airtable columns — no Zapier, no Make, no third-party automation needed.

0 No CVEs

Redirection for Contact Form 7

wpcf7-redirect

Redirect to any page or URL, execute scripts after submission, save data to the database, and unlock additional submission actions for Contact Form 7.

200K 14 CVEs

Image CAPTCHA for Contact Form 7 and WPForms by HookAndHook (DSGVO/GDPR)

contact-form-7-image-captcha

100

Adds an Image CAPTCHA to Contact Form 7 and WPForms, GDPR ready, perfect WPForms or Contact Form 7 Spam Protection Image CAPTCHA, adds a honeypot

80K No CVEs

Database for Contact Form 7, WPforms, Elementor forms

contact-form-entries

Saves Contact Form 7, WPforms,Elementor Forms, CRM Perks Forms and many other contact form submissions to database.

70K 13 CVEs

Successful Redirection for Contact Form

cf7-redirection

100

A simple add-on for Forms that adds a redirect option after form sent successfully.

10K No CVEs

Developer Profile

Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent Developer Profile

Essekia

2 plugins · 17K total installs

trust score

Avg Security Score

66/100

Avg Patch Time

195 days

View full developer profile

Detection Fingerprints

How We Detect Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/tablesome/assets/css/admin.css/wp-content/plugins/tablesome/assets/css/style.css/wp-content/plugins/tablesome/assets/css/frontend.css/wp-content/plugins/tablesome/assets/css/vendor/dataTables.bootstrap.min.css/wp-content/plugins/tablesome/assets/js/admin.js/wp-content/plugins/tablesome/assets/js/frontend.js/wp-content/plugins/tablesome/assets/js/vendor/jquery.dataTables.min.js/wp-content/plugins/tablesome/assets/js/vendor/dataTables.bootstrap.min.js+3 more

Script Paths

/wp-content/plugins/tablesome/assets/js/admin.js/wp-content/plugins/tablesome/assets/js/frontend.js/wp-content/plugins/tablesome/assets/js/vendor/jquery.dataTables.min.js/wp-content/plugins/tablesome/assets/js/vendor/dataTables.bootstrap.min.js/wp-content/plugins/tablesome/assets/js/vendor/moment.min.js/wp-content/plugins/tablesome/assets/js/vendor/datetime-moment.js+1 more

Version Parameters

/wp-content/plugins/tablesome/assets/css/admin.css?ver=/wp-content/plugins/tablesome/assets/css/style.css?ver=/wp-content/plugins/tablesome/assets/css/frontend.css?ver=/wp-content/plugins/tablesome/assets/css/vendor/dataTables.bootstrap.min.css?ver=/wp-content/plugins/tablesome/assets/js/admin.js?ver=/wp-content/plugins/tablesome/assets/js/frontend.js?ver=/wp-content/plugins/tablesome/assets/js/vendor/jquery.dataTables.min.js?ver=/wp-content/plugins/tablesome/assets/js/vendor/dataTables.bootstrap.min.js?ver=/wp-content/plugins/tablesome/assets/js/vendor/moment.min.js?ver=/wp-content/plugins/tablesome/assets/js/vendor/datetime-moment.js?ver=/wp-content/plugins/tablesome/assets/js/vendor/tablesome-form-submit.js?ver=

HTML / DOM Fingerprints

CSS Classes

tablesome-data-tabletablesome-table-wrappertablesome-backend-list-tabletablesome-frontend-list-table

HTML Comments

Data Attributes

data-tablesome-table-iddata-tablesome-table-row-id

JS Globals

tablesome_paramstablesome_form_submit_config

Shortcode Output

[tablesome[tablesome_form_entries

FAQ