WP-Safety

VPSUForm – Drag & Drop Contact Form Builder with Email Automation Security & Risk Analysis

wordpress.org/plugins/v-form

A lightweight drag-and-drop WordPress form builder with email automation, conditional logic, spam protection, and full lead management.

200 active installs v3.2.31 PHP 7.0+ WP 5.6+ Updated Mar 14, 2026
contact-formdrag-and-drop-formemail-automationform-builderwordpress-forms
92
A · Safe
CVEs total7
Unpatched0
Last CVEDec 23, 2025
Plugin page Download
Safety Verdict

Is VPSUForm – Drag & Drop Contact Form Builder with Email Automation Safe to Use in 2026?

Generally Safe

Score 92/100

VPSUForm – Drag & Drop Contact Form Builder with Email Automation has a strong security track record. Known vulnerabilities have been patched promptly.

7 known CVEsLast CVE: Dec 23, 2025Updated 20d ago
Risk Assessment

The "v-form" plugin exhibits a mixed security posture. While it employs prepared statements for a majority of its SQL queries and includes a reasonable number of nonce checks, significant concerns arise from its attack surface and input sanitization practices. The presence of 17 unprotected entry points (AJAX handlers and REST API routes) is a critical weakness, exposing the plugin to unauthorized access and potential exploitation. Furthermore, the taint analysis revealing 6 high-severity flows with unsanitized paths indicates a high likelihood of vulnerabilities like Cross-Site Scripting (XSS) or other injection flaws if these flows are exposed externally.

The plugin's vulnerability history, with 7 known CVEs including one high and six medium severity, reinforces these concerns. The common types of vulnerabilities identified (Exposure of Sensitive Information, Missing Authorization, XSS) directly align with the risks highlighted in the static and taint analysis. The fact that the last vulnerability was in late 2025 might suggest a history of security issues. Despite the positive aspects like the use of PHPMailer (though its version isn't specified for potential outdatedness) and a good percentage of escaped outputs, the identified unprotected entry points and high-severity taint flows present a substantial risk.

In conclusion, "v-form" v3.2.31 has several concerning security practices, primarily related to its exposed attack surface and input sanitization. While some good security habits are present, they are overshadowed by the potential for exploitation through unprotected AJAX handlers and REST API routes, and the high-severity taint flows. Users should exercise extreme caution or consider alternative plugins until these critical issues are addressed.

Key Concerns

  • Unprotected AJAX handlers
  • Unprotected REST API routes
  • High severity taint flows
  • SQL queries without prepared statements
  • Output escaping below 50%
  • Known CVEs (1 High, 6 Medium)
Vulnerabilities
7

VPSUForm – Drag & Drop Contact Form Builder with Email Automation Security Vulnerabilities

CVEs by Year

2 CVEs in 2024
2024
5 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
6

7 total CVEs

CVE-2025-68551medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

VPSUForm <= 3.2.24 - Authenticated (Contributor+) Information Exposure

Dec 23, 2025 Patched in 3.2.25 (15d)
CVE-2025-58957medium · 4.3Missing Authorization

VPSUForm <= 3.2.20 - Missing Authorization

Sep 22, 2025 Patched in 3.2.21 (5d)
CVE-2025-46250medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

VForm <= 3.1.14 - Authenticated (Administrator+) Stored Cross-Site Scripting

Apr 22, 2025 Patched in 3.1.15 (9d)
CVE-2025-30778medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

VForm <= 3.1.9 - Reflected Cross-Site Scripting

Apr 1, 2025 Patched in 3.1.10 (9d)
CVE-2025-24604medium · 4.3Missing Authorization

VForm <= 3.0.5 - Missing Authorization

Jan 24, 2025 Patched in 3.0.7 (5d)
CVE-2024-54302medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

VForm <= 3.0.0 - Reflected Cross-Site Scripting

Dec 11, 2024 Patched in 3.0.1 (9d)
CVE-2024-6770high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Lifetime free Drag & Drop Contact Form Builder for WordPress VForm <= 2.1.5 - Unauthenticated Stored Cross-Site Scripting

Jul 30, 2024 Patched in 2.1.6 (1d)
Code Analysis
Analyzed Mar 16, 2026

VPSUForm – Drag & Drop Contact Form Builder with Email Automation Code Analysis

Dangerous Functions
0
Raw SQL Queries
49
82 prepared
Unescaped Output
236
220 escaped
Nonce Checks
31
Capability Checks
6
File Operations
4
External Requests
11
Bundled Libraries
1

Bundled Libraries

PHPMailer

SQL Query Safety

63% prepared131 total queries

Output Escaping

48% escaped456 total outputs
Data Flows
11 unsanitized

Data Flow Analysis

25 flows11 with unsanitized paths
<templates> (inc\admin\templates\templates.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
17 unprotected

VPSUForm – Drag & Drop Contact Form Builder with Email Automation Attack Surface

Entry Points50
Unprotected17

AJAX Handlers 41

authwp_ajax_myvformsavevform.php:367
authwp_ajax_myvformcreatevform.php:410
authwp_ajax_myvformdeletevform.php:461
authwp_ajax_myvformclonevform.php:487
authwp_ajax_myvformfrontsavevform.php:543
noprivwp_ajax_myvformfrontsavevform.php:544
authwp_ajax_myvformsendvform.php:1623
authwp_ajax_myvformdonatevform.php:1696
authwp_ajax_myvformbrevovform.php:1739
authwp_ajax_myvformconversionvform.php:1778
noprivwp_ajax_myvformconversionvform.php:1779
authwp_ajax_myvformstarttrackvform.php:1815
noprivwp_ajax_myvformstarttrackvform.php:1816
authwp_ajax_myvformentriedelvform.php:1882
authwp_ajax_myvformneedintevform.php:1933
authwp_ajax_createmynotifivform.php:1967
authwp_ajax_deletemynotifivform.php:2004
authwp_ajax_savemynotifivform.php:2043
authwp_ajax_savesecurityvform.php:2085
authwp_ajax_savegooglesheetvform.php:2121
authwp_ajax_savewebhookurlvform.php:2154
authwp_ajax_quickeditsavevform.php:2463
authwp_ajax_filter_tablevform.php:2499
noprivwp_ajax_filter_tablevform.php:2500
authwp_ajax_save_field_logic_groupsvform.php:2832
authwp_ajax_delete_field_logic_groupvform.php:2864
authwp_ajax_get_saved_field_logic_groupsvform.php:2905
authwp_ajax_vformfeedbackvform.php:2989
authwp_ajax_createmysmtpvform.php:3340
authwp_ajax_vform_import_templatevform.php:3640
authwp_ajax_vform_templatekeyvform.php:3758
authwp_ajax_vf_test_smtpvform.php:3966
authwp_ajax_vform_save_automationvform.php:4017
authwp_ajax_vform_delete_automationvform.php:4048
authwp_ajax_vform_get_automationvform.php:4057
authwp_ajax_vf_get_form_fieldsvform.php:4126
authwp_ajax_vpsuform_save_keyvform.php:4154
authwp_ajax_vpsu_mark_viewedvform.php:4178
authwp_ajax_myvformentriereadvform.php:4195
authwp_ajax_vpsuform_review_latervform.php:4335
authwp_ajax_vpsuform_review_dismissvform.php:4340

REST API Routes 5

GET/wp-json/vform/v1/formsvform.php:3319
GET/wp-json/vform/v1/form-preview/(?P<id>\d+)vform.php:3325
GET/wp-json/vform/v1/(?P<formid>\d+)/entriesvform.php:3498
POST/wp-json/vform/v1/submitvform.php:3580
GET/wp-json/vform/v1/allformsvform.php:3601

Shortcodes 4

[vform] vform.php:170
[vpsuform] vform.php:171
[vform_userdetails] vform.php:172
[vpsuform_userdetails] vform.php:173
WordPress Hooks 34
actionwp_enqueue_scriptsvform.php:30
actionadmin_enqueue_scriptsvform.php:51
actionadmin_menuvform.php:83
filterplugin_action_linksvform.php:129
filterplugin_row_metavform.php:150
actioninitvform.php:167
filterwp_mail_content_typevform.php:1029
filterwp_mail_content_typevform.php:1645
filterwp_mail_content_typevform.php:1728
filterwp_mail_content_typevform.php:1767
filterwp_mail_content_typevform.php:1956
actionadmin_post_export_csvvform.php:2192
actionadmin_post_export_csv2vform.php:2308
actioninitvform.php:2404
filterquery_varsvform.php:2412
actiontemplate_redirectvform.php:2457
actionwp_enqueue_scriptsvform.php:2901
actionadmin_enqueue_scriptsvform.php:2902
actionadmin_footervform.php:2950
filterwp_mail_content_typevform.php:3018
actionplugins_loadedvform.php:3215
actionelementor/widgets/widgets_registeredvform.php:3227
actioninitvform.php:3309
actionrest_api_initvform.php:3333
actionphpmailer_initvform.php:3409
actionrest_api_initvform.php:3504
actionrest_api_initvform.php:3579
actionrest_api_initvform.php:3600
filterwp_mail_content_typevform.php:3731
actionadmin_post_vform_export_singlevform.php:3815
actionadmin_post_vform_import_singlevform.php:3887
actionvform_send_scheduled_emailvform.php:4111
actionadmin_initvform.php:4247
actionadmin_noticesvform.php:4263

Scheduled Events 1

vform_send_scheduled_email
Maintenance & Trust

VPSUForm – Drag & Drop Contact Form Builder with Email Automation Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 14, 2026
PHP min version7.0
Downloads22K

Community Trust

Rating100/100
Number of ratings6
Active installs200
Alternatives

VPSUForm – Drag & Drop Contact Form Builder with Email Automation Alternatives

NEX-Forms – Ultimate Forms Plugin for WordPress

NEX-Forms – Ultimate Forms Plugin for WordPress

nex-forms-express-wp-form-builder

B
76

Build beautiful responsive forms for WordPress. Contact forms, surveys, quizzes, booking forms, payments, popups & more with NEX-Forms...

7K 30 CVEs
NEX-Forms ADD ON – Form Themes

NEX-Forms ADD ON – Form Themes

nex-forms-form-themes-add-on

A
100

Build beautiful responsive forms for WordPress. Contact forms, surveys, quizzes, booking forms, payments, popups & more with NEX-Forms...

1K No CVEs
NEX-Forms ADD ON – Zapier Integration

NEX-Forms ADD ON – Zapier Integration

nex-forms-zapier-add-on

A
100

The NEX-Forms Zapier Integration Add-on enables you to seamlessly connect your form submissions to over 10,000 apps.

200 No CVEs
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

A
90

The best WordPress contact form plugin. Drag & Drop form builder to create beautiful contact forms, payment forms, & other custom forms.

6.0M 13 CVEs
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

fluentform

B
82

Get a fast contact form plugin. Create advanced forms using drag and drop form builder with all smart features.

600K 27 CVEs
Developer Profile

VPSUForm – Drag & Drop Contact Form Builder with Email Automation Developer Profile

Vikas Ratudi

7 plugins · 540 total installs

93
trust score
Avg Security Score
99/100
Avg Patch Time
8 days
View full developer profile
Detection Fingerprints

How We Detect VPSUForm – Drag & Drop Contact Form Builder with Email Automation

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/v-form/assets/css/style.css/wp-content/plugins/v-form/assets/css/fontawesome.css/wp-content/plugins/v-form/assets/js/frontend.js/wp-content/plugins/v-form/assets/js/custom.js/wp-content/plugins/v-form/assets/css/deactivate-popup-style.css/wp-content/plugins/v-form/assets/js/deactivate--popup-script.js/wp-content/plugins/v-form/assets/css/admin-dashboard.css/wp-content/plugins/v-form/assets/css/admin-entries.css+3 more
Script Paths
/wp-content/plugins/v-form/assets/js/frontend.js/wp-content/plugins/v-form/assets/js/custom.js/wp-content/plugins/v-form/assets/js/deactivate--popup-script.js/wp-content/plugins/v-form/assets/js/campaigns-script.js
Version Parameters
v-form/assets/css/style.css?ver=v-form/assets/css/fontawesome.css?ver=vform/assets/js/frontend.js?ver=vform/assets/js/custom.js?ver=vform/assets/css/deactivate-popup-style.css?ver=vform/assets/js/deactivate--popup-script.js?ver=vform/assets/css/admin-dashboard.css?ver=vform/assets/css/admin-entries.css?ver=vform/assets/css/templates.css?ver=vform/assets/css/campaigns.css?ver=vform/assets/js/campaigns-script.js?ver=

HTML / DOM Fingerprints

CSS Classes
update-pluginsplugin-count
Data Attributes
data-pluginurl
JS Globals
ajax_objectpluginData
Shortcode Output
[vform][vpsuform][vform_userdetails][vpsuform_userdetails]
FAQ

Frequently Asked Questions about VPSUForm – Drag & Drop Contact Form Builder with Email Automation