WP-Safety

Spam Protect for Contact Form 7 Security & Risk Analysis

wordpress.org/plugins/wp-contact-form-7-spam-blocker

Spam Protect for Contact-Form7 protects from spam and bots. Customize defense strategies and monitor blocked attempts. Protect your time effectively!

10K active installs v1.2.10 PHP 5.4+ WP 5.2+ Updated Feb 6, 2026
anti-spam-plugincontact-form-7-securityform-spam-preventionwebsite-form-protectionwordpress-form-security
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Spam Protect for Contact Form 7 Safe to Use in 2026?

Generally Safe

Score 100/100

Spam Protect for Contact Form 7 has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago
Risk Assessment

The plugin 'wp-contact-form-7-spam-blocker' version 1.2.10 exhibits a generally strong security posture based on the provided static analysis. The absence of any CVEs in its history and the reported zero critical or high severity vulnerabilities indicate a commitment to secure coding practices over time. The code analysis reveals a clean slate regarding dangerous functions and external HTTP requests, and all SQL queries are properly prepared. Furthermore, output escaping is largely effective, with 94% of outputs being properly escaped. This suggests a mature and well-maintained plugin.

However, a significant concern arises from the taint analysis, which identified three flows with unsanitized paths. While these did not reach a critical or high severity level, the presence of unsanitized paths, even if mitigated by other factors not detailed here, represents a potential area of weakness. The plugin also lacks capability checks and nonce checks entirely, which, coupled with zero unprotected AJAX handlers or REST API routes, implies that these entry points are either not used or are protected by other means not immediately apparent in this report. The file operations without context for their security implications also warrant a minor caution.

In conclusion, the plugin is largely secure, with a strong track record and good coding practices in place. The primary areas of concern are the identified unsanitized paths in the taint analysis and the complete absence of capability and nonce checks. These factors, while not currently manifesting as critical vulnerabilities, should be monitored and addressed for a more robust security posture.

Key Concerns

  • Taint flows with unsanitized paths found
  • No capability checks
  • No nonce checks
  • File operations present without detailed security context
Vulnerabilities
None known

Spam Protect for Contact Form 7 Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Spam Protect for Contact Form 7 Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
2
31 escaped
Nonce Checks
0
Capability Checks
0
File Operations
3
External Requests
0
Bundled Libraries
0

Output Escaping

94% escaped33 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths
spcf7_plugin_admin_post_settings (admin\class-admin.php:69)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Spam Protect for Contact Form 7 Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 13
filterwpcf7_editor_panelsadmin\class-admin.php:46
actionwpcf7_after_saveadmin\class-admin.php:49
filterwpcf7_validate_emailfrontend\class-front.php:46
filterwpcf7_validate_email*frontend\class-front.php:47
filterwpcf7_validate_textfrontend\class-front.php:49
filterwpcf7_validate_text*frontend\class-front.php:50
filterwpcf7_validate_textareafrontend\class-front.php:52
filterwpcf7_validate_textarea*frontend\class-front.php:53
actionplugins_loadedincludes\class-blocker.php:97
actionadmin_enqueue_scriptsincludes\class-blocker.php:108
actionadmin_enqueue_scriptsincludes\class-blocker.php:109
actionwp_enqueue_scriptsincludes\class-blocker.php:120
actionwp_enqueue_scriptsincludes\class-blocker.php:121
Maintenance & Trust

Spam Protect for Contact Form 7 Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedFeb 6, 2026
PHP min version5.4
Downloads131K

Community Trust

Rating82/100
Number of ratings12
Active installs10K
Alternatives

Spam Protect for Contact Form 7 Alternatives

No alternatives data available yet.

Developer Profile

Spam Protect for Contact Form 7 Developer Profile

NYSL

1 plugin · 10K total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Spam Protect for Contact Form 7

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-contact-form-7-spam-blocker/admin/css/style.css/wp-content/plugins/wp-contact-form-7-spam-blocker/admin/js/spcf7-admin.js/wp-content/plugins/wp-contact-form-7-spam-blocker/public/css/spcf7-public.css/wp-content/plugins/wp-contact-form-7-spam-blocker/public/js/spcf7-public.js
Version Parameters
wp-contact-form-7-spam-blocker/admin/css/style.css?ver=wp-contact-form-7-spam-blocker/admin/js/spcf7-admin.js?ver=wp-contact-form-7-spam-blocker/public/css/spcf7-public.css?ver=wp-contact-form-7-spam-blocker/public/js/spcf7-public.js?ver=

HTML / DOM Fingerprints

CSS Classes
spcf7-noticeblocker-7-settingblocker-7-setting-smallmain-wrap
HTML Comments
<!-- If this file is called directly, abort. --><!-- The code that runs during plugin activation. --><!-- The code that runs during plugin deactivation. --><!-- The core plugin class that is used to define internationalization, admin-specific hooks, and public-facing site hooks. -->+9 more
Data Attributes
id="wpcf7-block-email-list-id"id="wpcf7-block-email-domain-id"id="wpcf7-block-top-domain-id"id="wpcf7-protected-fields-id"id="wpcf7-block-words-id"id="wpcf7-block-shortlinks-id"+12 more
JS Globals
window.spcf7_object
FAQ

Frequently Asked Questions about Spam Protect for Contact Form 7