WP-Safety

Visual Form Builder Security & Risk Analysis

wordpress.org/plugins/visual-form-builder

Build beautiful, fully functional contact forms in only a few minutes without writing PHP, CSS, or HTML.

20K active installs v3.1 PHP + WP 4.7+ Updated May 27, 2022
contact-formcontact-formsformforms
81
B · Generally Safe
CVEs total8
Unpatched0
Last CVEApr 11, 2022
Plugin page Download
Safety Verdict

Is Visual Form Builder Safe to Use in 2026?

Mostly Safe

Score 81/100

Visual Form Builder is generally safe to use though it hasn't been updated recently. 8 past CVEs were resolved.

8 known CVEsLast CVE: Apr 11, 2022Updated 3yr ago
Risk Assessment

The "visual-form-builder" plugin v3.1 presents a mixed security posture. While it demonstrates good practices in output escaping (97% proper) and utilizes prepared statements for the vast majority of its SQL queries (85%), several concerns warrant attention. The presence of two AJAX handlers lacking authentication checks and four high-severity taint flows with unsanitized paths represent significant potential entry points for malicious activity. The "unserialize" function, a known dangerous function, is used 15 times, which can be a vector for deserialization vulnerabilities if not handled with extreme care. The plugin's vulnerability history, with 8 known CVEs including high-severity issues like Cross-Site Scripting, SQL Injection, and CSRF, indicates a pattern of past security weaknesses. Although there are currently no unpatched CVEs, the recurring nature of these vulnerabilities suggests a need for ongoing vigilance and robust security development practices. The plugin's strengths lie in its general adherence to secure coding for output and SQL, but the identified attack surface vulnerabilities and historical issues elevate its risk profile.

Key Concerns

  • AJAX handlers without auth checks
  • High severity taint flows with unsanitized paths
  • Use of dangerous function 'unserialize'
  • High severity historical CVEs (3)
  • Medium severity historical CVEs (5)
  • SQL queries without prepared statements (15%)
Vulnerabilities
8 published

Visual Form Builder Security Vulnerabilities

CVEs by Year

3 CVEs in 2015
2015
3 CVEs in 2021
2021
2 CVEs in 2022
2022
Patched Has unpatched

Severity Breakdown

High
3
Medium
5

8 total CVEs

CVE-2022-0141high · 8.8Cross-Site Request Forgery (CSRF)

Visual Form Builder <= 3.0.7 - Cross-Site Request Forgery to Data Modification

Apr 11, 2022 Patched in 3.0.8 (652d)
CVE-2022-1046medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Visual Form Builder <= 3.0.6 - Admin+ Cross-Site Scripting

Apr 7, 2022 Patched in 3.0.7 (656d)
CVE-2022-0140medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Visual Form Builder <= 3.0.5 - Unauthenticated Information Disclosure

Nov 3, 2021 Patched in 3.0.6 (811d)
CVE-2022-0142medium · 5.3Improper Privilege Management

Visual Form Builder <= 3.0.5 - CSV Injection

Nov 3, 2021 Patched in 3.0.6 (811d)
CVE-2021-24514medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Visual Form Builder <= 3.0.3 - Admin+ Stored Cross-Site Scripting

Sep 27, 2021 Patched in 3.0.4 (848d)
WF-16e2c051-6ec6-4b09-8802-adb537fa9af0-visual-form-buildermedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Visual Form Builder <= 2.8.2 - Reflected Cross-Site Scripting

May 15, 2015 Patched in 2.8.3 (3175d)
WF-373e9a7c-cdc3-43cb-9c8f-2be25f514b61-visual-form-builderhigh · 8.8Cross-Site Request Forgery (CSRF)

Visual Form Builder <= 2.8.2 - Cross-Site Request Forgery to SQL Injection

May 15, 2015 Patched in 2.8.3 (3175d)
WF-79289ad7-f289-4472-973d-d0ec2996c5c5-visual-form-builderhigh · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Visual Form Builder <= 2.8.2 - Authenticated SQL Injection

May 15, 2015 Patched in 2.8.3 (3175d)
Version History

Visual Form Builder Release Timeline

v3.1Current
v3.0.9
v3.0.8
v3.0.71 CVE
CVE-2022-0141
v3.0.62 CVEs
CVE-2022-1046 CVE-2022-0141
v3.0.54 CVEs
CVE-2022-0140 CVE-2022-1046 CVE-2022-0141 +1 more
v3.0.44 CVEs
CVE-2022-0140 CVE-2022-1046 CVE-2022-0141 +1 more
v3.0.35 CVEs
CVE-2022-0140 CVE-2021-24514 CVE-2022-1046 +2 more
v3.0.25 CVEs
CVE-2022-0140 CVE-2021-24514 CVE-2022-1046 +2 more
v3.0.15 CVEs
CVE-2022-0140 CVE-2021-24514 CVE-2022-1046 +2 more
v3.05 CVEs
CVE-2022-0140 CVE-2021-24514 CVE-2022-1046 +2 more
v2.9.95 CVEs
CVE-2022-0140 CVE-2021-24514 CVE-2022-1046 +2 more
v2.9.85 CVEs
CVE-2022-0140 CVE-2021-24514 CVE-2022-1046 +2 more
v2.9.75 CVEs
CVE-2022-0140 CVE-2021-24514 CVE-2022-1046 +2 more
v2.9.65 CVEs
CVE-2022-0140 CVE-2021-24514 CVE-2022-1046 +2 more
v2.9.55 CVEs
CVE-2022-0140 CVE-2021-24514 CVE-2022-1046 +2 more
v2.9.45 CVEs
CVE-2022-0140 CVE-2021-24514 CVE-2022-1046 +2 more
v2.9.35 CVEs
CVE-2022-0140 CVE-2021-24514 CVE-2022-1046 +2 more
v2.9.25 CVEs
CVE-2022-0140 CVE-2021-24514 CVE-2022-1046 +2 more
v2.9.15 CVEs
CVE-2022-0140 CVE-2021-24514 CVE-2022-1046 +2 more
Code Analysis
Analyzed Mar 16, 2026

Visual Form Builder Code Analysis

Dangerous Functions
15
Raw SQL Queries
12
69 prepared
Unescaped Output
16
539 escaped
Nonce Checks
19
Capability Checks
3
File Operations
2
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$data = unserialize( $entry->data );admin\class-entries-detail.php:33
unserialize<span><strong><?php esc_html_e( 'Emailed To', 'visual-form-builder' ); ?>: </strong><?php echo preg_admin\class-entries-detail.php:65
unserialize'emails_to' => implode( ',', unserialize( wp_unslash( $entry->emails_to ) ) ),admin\class-entries-list.php:631
unserialize$opts_vals = is_array( unserialize( $field->field_options ) ) ? unserialize( $field->field_options )admin\class-fields.php:184
unserialize$opts_vals = is_array( unserialize( $field->field_options ) ) ? unserialize( $field->field_options )admin\class-fields.php:184
unserialize$opts_vals = is_array( unserialize( $field->field_options ) ) ? unserialize( $field->field_options )admin\class-fields.php:184
unserialize$opts_vals = is_array( unserialize( $field->field_options ) ) ? unserialize( $field->field_options )admin\class-fields.php:235
unserialize$opts_vals = is_array( unserialize( $field->field_options ) ) ? unserialize( $field->field_options )admin\class-fields.php:235
unserialize$opts_vals = is_array( unserialize( $field->field_options ) ) ? unserialize( $field->field_options )admin\class-fields.php:235
unserialize$form_email_to = is_array( unserialize( $form->form_email_to ) ) ? unserialize( $foradmin\class-forms-edit.php:37
unserialize$form_email_to = is_array( unserialize( $form->form_email_to ) ) ? unserialize( $foradmin\class-forms-edit.php:37
unserialize$form_email_to = is_array( unserialize( $form->form_email_to ) ) ? unserialize( $foradmin\class-forms-edit.php:37
unserialize'form_to' => is_array( unserialize( $form->form_email_to ) ) ? unserialize( $fopublic\class-email.php:65
unserialize'form_to' => is_array( unserialize( $form->form_email_to ) ) ? unserialize( $fopublic\class-email.php:65
unserialize'form_to' => is_array( unserialize( $form->form_email_to ) ) ? unserialize( $fopublic\class-email.php:65

SQL Query Safety

85% prepared81 total queries

Output Escaping

97% escaped555 total outputs
Data Flows · Security
6 unsanitized

Data Flow Analysis

14 flows6 with unsanitized paths
widget_control (admin\class-dashboard-widgets.php:102)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Visual Form Builder Attack Surface

Entry Points7
Unprotected2

AJAX Handlers 6

authwp_ajax_visual_form_builder_sort_fieldadmin\class-ajax.php:12
authwp_ajax_visual_form_builder_create_fieldadmin\class-ajax.php:13
authwp_ajax_visual_form_builder_delete_fieldadmin\class-ajax.php:14
authwp_ajax_visual_form_builder_form_settingsadmin\class-ajax.php:15
authwp_ajax_vfb-export-fieldsadmin\class-export.php:48
authwp_ajax_vfb-media-buttonadmin\class-media-button.php:14

Shortcodes 1

[vfb] public\class-form-display.php:50
WordPress Hooks 24
actionadmin_menuadmin\class-admin-menu.php:16
actionadmin_noticesadmin\class-admin-notices.php:13
actionadmin_noticesadmin\class-admin-notices.php:14
actionadmin_noticesadmin\class-admin-notices.php:15
actionadmin_noticesadmin\class-admin-notices.php:16
actionadmin_noticesadmin\class-admin-notices.php:17
actionwp_dashboard_setupadmin\class-dashboard-widgets.php:13
actionadmin_initadmin\class-entries-detail.php:12
actionadmin_initadmin\class-export.php:47
actionmedia_buttonsadmin\class-media-button.php:13
actionadmin_initadmin\class-save.php:14
actionadmin_initadmin\class-save.php:15
actionadmin_initadmin\class-save.php:16
actionadmin_initadmin\class-save.php:17
actionadmin_initadmin\class-save.php:18
actionwidgets_initadmin\class-widget.php:10
actionwp_enqueue_scriptspublic\class-form-display.php:51
actionwp_enqueue_scriptspublic\class-form-display.php:52
actioninitpublic\class-form-display.php:53
actionvfb_after_emailpublic\class-form-display.php:54
actionvfb_after_emailpublic\class-form-display.php:55
actionplugins_loadedvisual-form-builder.php:91
actionplugins_loadedvisual-form-builder.php:94
filterset-screen-optionvisual-form-builder.php:97
Maintenance & Trust

Visual Form Builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.0.11
Last updatedMay 27, 2022
PHP min version
Downloads1.7M

Community Trust

Rating82/100
Number of ratings318
Active installs20K
Alternatives

Visual Form Builder Alternatives

GSheetConnector for CF7 – Connect Contact Form 7 to Google Sheets and Send Form Submissions in Real Time

GSheetConnector for CF7 – Connect Contact Form 7 to Google Sheets and Send Form Submissions in Real Time

cf7-google-sheets-connector

A
96

Send your Contact Form 7 data directly to your Google Sheets spreadsheet.

40K 4 CVEs
Contact Form 7 – Success Page Redirects

Contact Form 7 – Success Page Redirects

contact-form-7-success-page-redirects

A
85

An add-on for Contact Form 7 that provides a straightforward method to redirect visitors to success pages or thank you pages.

10K No CVEs
Contact Form by Supsystic

Contact Form by Supsystic

contact-form-by-supsystic

B
83

Contact Form Builder with drag-and-drop editor to create responsive, mobile ready contact forms in a second. Custom fields and contact form templates

7K 10 CVEs
NEX-Forms – Ultimate Forms Plugin for WordPress

NEX-Forms – Ultimate Forms Plugin for WordPress

nex-forms-express-wp-form-builder

B
76

Build beautiful responsive forms for WordPress. Contact forms, surveys, quizzes, booking forms, payments, popups & more with NEX-Forms...

7K 31 CVEs
OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA)

OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA)

oopspam-anti-spam

A
93

Protect your forms from spam with 99.9% accuracy - no CAPTCHA, no JavaScript, no tracking. Trusted by 3.5M+ websites.

6K 4 CVEs
Developer Profile

Visual Form Builder Developer Profile

Matthew Muro

4 plugins · 22K total installs

68
trust score
Avg Security Score
84/100
Avg Patch Time
1663 days
View full developer profile
Detection Fingerprints

How We Detect Visual Form Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
admin/assets/css/visual-form-builder-admin.min.cssadmin/assets/js/jquery.validate.min.jsadmin/assets/js/vfb-admin.min.jspublic/assets/css/visual-form-builder-public.min.csspublic/assets/js/vfb-public.min.js
Version Parameters
visual-form-builder-style?ver=2021.03.22jquery.validate.min.js?ver=1.9.0vfb-admin?ver=2022.05.11visual-form-builder-public?ver=2021.04.28vfb-public?ver=2022.05.11

HTML / DOM Fingerprints

CSS Classes
vfb-fieldvfb-form-wrappervisual-form-builder
Data Attributes
data-vfb-form-id
JS Globals
vfb_vars
Shortcode Output
[visual_form_builder id="visual_form_builder
FAQ

Frequently Asked Questions about Visual Form Builder