WP-Safety

User Registration Using Contact Form 7 Security & Risk Analysis

wordpress.org/plugins/user-registration-using-contact-form-7

User Registration Using Contact Form 7 plugin provides the feature to register the user to the website.

500 active installs v2.6 PHP 5.6+ WP 3.5+ Updated Jan 6, 2026
contact-form-7forgot-passworduser-loginuser-registration
98
A · Safe
CVEs total2
Unpatched0
Last CVEJan 16, 2026
Download
Safety Verdict

Is User Registration Using Contact Form 7 Safe to Use in 2026?

Generally Safe

Score 98/100

User Registration Using Contact Form 7 has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Jan 16, 2026Updated 2mo ago
Risk Assessment

The 'user-registration-using-contact-form-7' plugin v2.6 exhibits a generally strong security posture, particularly in its handling of data. The absence of critical or high severity taint flows and the exclusive use of prepared statements for SQL queries are significant strengths. Furthermore, the plugin implements a healthy number of nonce and capability checks, and its attack surface is well-protected, with no unprotected entry points identified in the static analysis. The presence of Guzzle as a bundled library is noted, but without information on its specific version or known vulnerabilities, its risk is neutral for now.

However, a notable concern is the percentage of improperly escaped output. With 29% of outputs not being properly escaped, there's a potential risk of Cross-Site Scripting (XSS) vulnerabilities, especially if user-supplied data is directly reflected in the output without adequate sanitization. The vulnerability history, while showing no currently unpatched CVEs, reveals two past medium severity vulnerabilities, both related to Missing Authorization and Cross-Site Request Forgery (CSRF). The fact that the last vulnerability was in 2026 suggests these might be historical issues or potential future discoveries if not actively maintained. Despite these past issues, the current version appears to have addressed them.

In conclusion, the plugin demonstrates good security practices in data handling and access control. The primary area for improvement lies in ensuring all output is properly escaped to mitigate potential XSS risks. The historical vulnerabilities, though addressed, serve as a reminder for ongoing vigilance and updates.

Key Concerns

  • Significant percentage of unescaped output
  • Past medium severity vulnerabilities (Missing Auth, CSRF)
  • Bundled library (Guzzle) without version check
Vulnerabilities
2

User Registration Using Contact Form 7 Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-12825medium · 5.3Missing Authorization

User Registration Using Contact Form 7 <= 2.5 - Authenticated (Subscriber+) Information Exposure

Jan 16, 2026 Patched in 2.6 (1d)
CVE-2025-32679medium · 4.3Cross-Site Request Forgery (CSRF)

User Registration Using Contact Form 7 <= 2.4 - Cross-Site Request Forgery

Apr 9, 2025 Patched in 2.5 (255d)
Code Analysis
Analyzed Mar 16, 2026

User Registration Using Contact Form 7 Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
50
124 escaped
Nonce Checks
4
Capability Checks
2
File Operations
2
External Requests
0
Bundled Libraries
1

Bundled Libraries

Guzzle

Output Escaping

71% escaped174 total outputs
Data Flows
All sanitized

Data Flow Analysis

3 flows
zurcf7_setting_page (inc\admin\class.zurcf7.admin.php:99)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

User Registration Using Contact Form 7 Attack Surface

Entry Points1
Unprotected0

AJAX Handlers 1

authwp_ajax_get_cf7_form_datainc\class.zurcf7.php:43
WordPress Hooks 25
actionadmin_initinc\admin\class.zurcf7.admin.action.php:24
actionadd_meta_boxesinc\admin\class.zurcf7.admin.action.php:25
actionshow_user_profileinc\admin\class.zurcf7.admin.action.php:29
actionshow_user_profileinc\admin\class.zurcf7.admin.action.php:30
actionplugins_loadedinc\admin\class.zurcf7.admin.action.php:247
filterpost_row_actionsinc\admin\class.zurcf7.admin.filter.php:25
actionplugins_loadedinc\admin\class.zurcf7.admin.filter.php:123
actionadmin_menuinc\admin\class.zurcf7.admin.php:28
actiondo_meta_boxesinc\admin\class.zurcf7.admin.php:30
actionadmin_noticesinc\admin\class.zurcf7.admin.php:107
actionadmin_noticesinc\admin\class.zurcf7.admin.php:116
actionadmin_noticesinc\admin\class.zurcf7.admin.php:158
actionplugins_loadedinc\admin\class.zurcf7.admin.php:253
actionplugins_loadedinc\class.zurcf7.php:39
filterplugin_action_linksinc\class.zurcf7.php:40
actionadmin_noticesinc\class.zurcf7.php:60
actioninitinc\class.zurcf7.php:69
actioninitinc\front\class.zurcf7.front.action.php:24
actionwp_enqueue_scriptsinc\front\class.zurcf7.front.action.php:26
actionwpcf7_before_send_mailinc\front\class.zurcf7.front.action.php:29
filterwpcf7_feedback_responseinc\front\class.zurcf7.front.action.php:31
filterwpcf7_skip_mailinc\front\class.zurcf7.front.action.php:211
actionplugins_loadedinc\front\class.zurcf7.front.action.php:340
actionplugins_loadedinc\front\class.zurcf7.front.filter.php:49
actionplugins_loadedinc\front\class.zurcf7.front.php:65
Maintenance & Trust

User Registration Using Contact Form 7 Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 6, 2026
PHP min version5.6
Downloads14K

Community Trust

Rating84/100
Number of ratings5
Active installs500
Alternatives

User Registration Using Contact Form 7 Alternatives

User Registration Date And Last Login Date

User Registration Date And Last Login Date

user-registration-date-last-login

A
85

This plugin shows the registration date and Last Login field in the table of the Users section in the WordPress dashboard.

100 No CVEs
Database Addon for Contact Form 7 – CFDB7

Database Addon for Contact Form 7 – CFDB7

contact-form-cfdb7

A
90

Save and manage Contact Form 7 messages. Never lose important data. It is a lightweight contact form 7 database plugin.

600K 7 CVEs
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

ultimate-member

B
76

Membership & community plugin with user profiles, registration & login, member directories, content restriction, user roles and much more.

200K 70 CVEs
ReCaptcha v2 for Contact Form 7

ReCaptcha v2 for Contact Form 7

wpcf7-recaptcha

A
100

Adds reCaptcha v2 from Contact Form 7 5.0.5 that was dropped on Contact Form 7 5.1

200K No CVEs
Redirection for Contact Form 7

Redirection for Contact Form 7

wpcf7-redirect

A
88

Redirect to any page or URL, execute scripts after submission, save data to the database, and unlock additional submission actions for Contact Form 7.

200K 14 CVEs
Developer Profile

User Registration Using Contact Form 7 Developer Profile

ZealousWeb

18 plugins · 7K total installs

87
trust score
Avg Security Score
98/100
Avg Patch Time
88 days
View full developer profile
Detection Fingerprints

How We Detect User Registration Using Contact Form 7

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/user-registration-using-contact-form-7/inc/admin/zurcf7-admin.css/wp-content/plugins/user-registration-using-contact-form-7/inc/admin/zurcf7-admin.js
Version Parameters
user-registration-using-contact-form-7/inc/admin/zurcf7-admin.css?ver=user-registration-using-contact-form-7/inc/admin/zurcf7-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
zurcf7-setting-page
Data Attributes
data-formid
FAQ

Frequently Asked Questions about User Registration Using Contact Form 7