Does Ultimate Forms have any unpatched vulnerabilities?

No. All known vulnerabilities in Ultimate Forms have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Ultimate Forms compatible with WordPress 5.4.19?

According to WordPress.org data, Ultimate Forms 0.5 has been tested up to WordPress 5.4.19. Check the plugin's changelog for the latest compatibility information.

How often is Ultimate Forms updated?

Ultimate Forms was last updated on Apr 15, 2021. Frequent updates are generally a positive security signal.

What is Ultimate Forms's security score?

Ultimate Forms has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Ultimate Forms Security Review — Score 85/100 (safe)

Safety Verdict

Is Ultimate Forms Safe to Use in 2026?

Generally Safe

Score 85/100

Ultimate Forms has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 4yr ago

Risk Assessment

The 'ultimate-forms' plugin version 0.5 exhibits a concerning security posture due to a significant number of unprotected entry points, particularly AJAX handlers. While the plugin utilizes prepared statements for the majority of its SQL queries and has a reasonable number of output escaping functions, the presence of 3 AJAX handlers without any authentication or capability checks presents a direct and serious risk. This means any unauthenticated user could potentially interact with these handlers, leading to unintended actions or information disclosure. Furthermore, the taint analysis revealing 7 high-severity flows with unsanitized paths indicates potential for serious vulnerabilities, even if not yet cataloged as CVEs. The complete lack of recorded vulnerabilities in its history is positive, but it doesn't negate the risks identified in the static analysis. The presence of the `unserialize` function is also a red flag, especially when combined with potentially unsanitized input.

Key Concerns

Unprotected AJAX handlers
High severity taint flows
Dangerous function: unserialize
Low output escaping percentage
Limited nonce/capability checks

Vulnerabilities

None known

Ultimate Forms Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

Ultimate Forms Code Analysis

Dangerous Functions

13

Raw SQL Queries

5

27 prepared

Unescaped Output

127

144 escaped

Nonce Checks

2

Capability Checks

2

File Operations

189

External Requests

0

Bundled Libraries

2

Dangerous Functions Found

unserialize$Unserialized = unserialize($Response->Submission_Value);Functions\EWD_UFP_Export_Form_Submissions.php:40

unserialize$Column_Element_IDs = unserialize($_POST['Column_Element_IDs']);Functions\EWD_UFP_Process_Ajax.php:46

unserialize$this->currentObject = unserialize($obj);PHPExcel\Classes\PHPExcel\CachedObjectStorage\APC.php:152

unserialize$this->currentObject = unserialize(fread($this->fileHandle, $this->cellCache[$pCoord]['sz']));PHPExcel\Classes\PHPExcel\CachedObjectStorage\DiscISAM.php:118

unserialize$this->currentObject = unserialize($obj);PHPExcel\Classes\PHPExcel\CachedObjectStorage\Memcache.php:156

unserialize$this->currentObject = unserialize(gzinflate($this->cellCache[$pCoord]));PHPExcel\Classes\PHPExcel\CachedObjectStorage\MemoryGZip.php:93

unserialize$this->currentObject = unserialize($this->cellCache[$pCoord]);PHPExcel\Classes\PHPExcel\CachedObjectStorage\MemorySerialized.php:91

unserialize$this->currentObject = unserialize(fread($this->fileHandle, $this->cellCache[$pCoord]['sz']));PHPExcel\Classes\PHPExcel\CachedObjectStorage\PHPTemp.php:113

unserialize$this->currentObject = unserialize($cellResult);PHPExcel\Classes\PHPExcel\CachedObjectStorage\SQLite.php:112

unserialize$this->currentObject = unserialize($cellData['value']);PHPExcel\Classes\PHPExcel\CachedObjectStorage\SQLite3.php:144

unserialize$this->currentObject = unserialize($obj);PHPExcel\Classes\PHPExcel\CachedObjectStorage\Wincache.php:154

unserialize$this->{$key} = unserialize(serialize($val));PHPExcel\Classes\PHPExcel\Worksheet.php:2895

unserialize$this->{$key} = unserialize(serialize($val));PHPExcel\Classes\PHPExcel.php:881

Bundled Libraries

dompdfTCPDF

SQL Query Safety

84% prepared32 total queries

Output Escaping

53% escaped271 total outputs

Data Flows

10 unsanitized

Data Flow Analysis

10 flows10 with unsanitized paths

EWD_UFP_AJAX_Add_Element_To_Form (Functions\EWD_UFP_Process_Ajax.php:2)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

Ultimate Forms Attack Surface

Entry Points4

Unprotected3

AJAX Handlers 3

authwp_ajax_ewd_ufp_add_form_elementFunctions\EWD_UFP_Process_Ajax.php:13

authwp_ajax_ewd_ufp_clear_submissionsFunctions\EWD_UFP_Process_Ajax.php:33

authwp_ajax_ewd_ufp_get_submissionsFunctions\EWD_UFP_Process_Ajax.php:71

Shortcodes 1

[ultimate-forms] Shortcodes\Insert_Contact_Form.php:22

WordPress Hooks 18

filterthe_contentFunctions\EWD_UFP_Add_Form_To_Page.php:2

filterget_sample_permalink_htmlFunctions\EWD_UFP_Edit_Form_Page_Content.php:2

filterget_sample_permalink_htmlFunctions\EWD_UFP_Edit_Form_Page_Content.php:14

actionadd_meta_boxesFunctions\EWD_UFP_Edit_Form_Page_Content.php:22

actionsave_postFunctions\EWD_UFP_Edit_Form_Page_Content.php:633

actioninitFunctions\EWD_UFP_Handle_Form_Submission.php:2

actionwidgets_initFunctions\EWD_UFP_Widgets.php:69

actioninitFunctions\Register_EWD_UFP_Posts_Taxonomies.php:2

actionadmin_headultimate-forms.php:31

actionwidgets_initultimate-forms.php:32

actionadmin_headultimate-forms.php:33

actionadmin_noticesultimate-forms.php:34

actionadmin_menuultimate-forms.php:51

actionadmin_noticesultimate-forms.php:93

actionafter_setup_themeultimate-forms.php:99

actionwp_enqueue_scriptsultimate-forms.php:124

actionwp_enqueue_scriptsultimate-forms.php:141

actionactivated_pluginultimate-forms.php:157

Maintenance & Trust

Ultimate Forms Maintenance & Trust

Maintenance Signals

WordPress version tested5.4.19

Last updatedApr 15, 2021

PHP min version

Downloads1K

Community Trust

Rating0/100

Number of ratings0

Active installs0

Alternatives

Ultimate Forms Alternatives

No alternatives data available yet.

Developer Profile

Ultimate Forms Developer Profile

Rustaurius

21 plugins · 66K total installs

72

trust score

Avg Security Score

90/100

Avg Patch Time

716 days

View full developer profile

Detection Fingerprints

How We Detect Ultimate Forms

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/ultimate-forms/css/ewd-ufp-styles.css/wp-content/plugins/ultimate-forms/js/ewd-ufp-js.js

Script Paths

/wp-content/plugins/ultimate-forms/js/Admin.js/wp-content/plugins/ultimate-forms/js/spectrum.js/wp-content/plugins/ultimate-forms/js/bootstrap.min.js/wp-content/plugins/ultimate-forms/js/jquery.confirm.min.js/wp-content/plugins/ultimate-forms/js/ewd-ufp-js.js

Version Parameters

ultimate-forms/js/Admin.js?ver=ultimate-forms/css/Admin.css?ver=

HTML / DOM Fingerprints

CSS Classes

EWD_UFP_Menuewd-ufp-dash-mobile-menu-openMenuTabewd-ufp-dash-mobile-menu-down-caretewd-ufp-dash-mobile-menu-up-caretnav-tabnav-tab-active

Data Attributes

data-selector-id

JS Globals

ewd_ufp_form_data

FAQ

Ultimate Forms Security & Risk Analysis

Is Ultimate Forms Safe to Use in 2026?

Generally Safe

Key Concerns

Ultimate Forms Security Vulnerabilities

Ultimate Forms Code Analysis

Dangerous Functions Found

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

Ultimate Forms Attack Surface

AJAX Handlers 3

Shortcodes 1

Ultimate Forms Maintenance & Trust

Maintenance Signals

Community Trust

Ultimate Forms Alternatives

Ultimate Forms Developer Profile

How We Detect Ultimate Forms

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Ultimate Forms