WP-Safety

WP Forms Connector Security & Risk Analysis

wordpress.org/plugins/wp-forms-connector

Short Description: Easily manage and export Contact Form 7 submissions via REST API.

10 active installs v1.8 PHP 7.2+ WP 4.8+ Updated Dec 4, 2025
contact-formexportrest-apisave-contact-formwpcf7
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is WP Forms Connector Safe to Use in 2026?

Generally Safe

Score 100/100

WP Forms Connector has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 4mo ago
Risk Assessment

The "wp-forms-connector" plugin v1.8 presents a mixed security posture. On the positive side, it has no known CVEs and boasts a good number of capability checks. However, the static analysis reveals some significant areas of concern. The presence of the `unserialize` function is a major red flag, as it's a common vector for remote code execution if data is not properly sanitized before being passed to it. While taint analysis did not report critical or high severity flows, the presence of "flows with unsanitized paths" is concerning and warrants further investigation. The fact that one REST API route lacks a permission callback is a direct entry point that could be exploited by unauthenticated users. The plugin also has a substantial percentage of SQL queries not using prepared statements, increasing the risk of SQL injection vulnerabilities. Despite these risks, the plugin's lack of historical vulnerabilities might suggest a diligent development team or a less targeted attack surface, but the current code signals suggest proactive patching and scrutiny are essential.

Key Concerns

  • REST API route without permission callback
  • Dangerous function: unserialize found
  • SQL queries not using prepared statements (69%)
  • Output escaping not properly implemented (38%)
  • Flows with unsanitized paths found
Vulnerabilities
None known

WP Forms Connector Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

WP Forms Connector Code Analysis

Dangerous Functions
8
Raw SQL Queries
25
11 prepared
Unescaped Output
15
24 escaped
Nonce Checks
4
Capability Checks
6
File Operations
6
External Requests
2
Bundled Libraries
0

Dangerous Functions Found

unserialize<?php $form_data = unserialize( $results[0]->form_value );inc\appyconnect-admin-form-details.php:49
unserialize$first_row = isset($results[0]) ? unserialize( $results[0]->form_value ): 0 ;inc\appyconnect-admin-subpage.php:126
unserialize$form_value = unserialize( $result->form_value );inc\appyconnect-admin-subpage.php:230
unserialize$result_values = unserialize($result_value);inc\appyconnect-admin-subpage.php:303
unserialize$result_values = unserialize( $result_value );inc\appyconnect-admin-subpage.php:331
unserialize$result_values = unserialize( $result_value );inc\appyconnect-admin-subpage.php:347
unserialize$heading_row = unserialize( $heading_row->form_value );inc\appyconnect-export-csv.php:84
unserialize$resultTmp = unserialize( $result->form_value );inc\appyconnect-export-csv.php:110

SQL Query Safety

31% prepared36 total queries

Output Escaping

62% escaped39 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths
bulk_actions (inc\appyconnect-admin-subpage.php:406)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

WP Forms Connector Attack Surface

Entry Points2
Unprotected1

REST API Routes 2

POST/wp-json/wp/v3posts/createcustom-post-create.php:11
GET/wp-json/wp/v3/allposttype/WP-Forms-Connector.php:1932
WordPress Hooks 20
actionrest_api_initcustom-post-create.php:9
actionadmin_menuinc\appyconnect-admin-mainpage.php:18
actionwpcf7_before_send_mailWP-Forms-Connector.php:213
actionwpcf7_before_send_mailWP-Forms-Connector.php:294
actioninitWP-Forms-Connector.php:296
actionadmin_noticesWP-Forms-Connector.php:333
actionadmin_initWP-Forms-Connector.php:334
actionplugins_loadedWP-Forms-Connector.php:392
actionrest_api_initWP-Forms-Connector.php:400
actionrest_api_initWP-Forms-Connector.php:464
actionrest_api_initWP-Forms-Connector.php:547
actionrest_api_initWP-Forms-Connector.php:630
actioninitWP-Forms-Connector.php:1826
actionrest_api_initWP-Forms-Connector.php:1931
actioninitWP-Forms-Connector.php:1980
actionwpforms_process_entry_saveWP-Forms-Connector.php:2115
actionadmin_noticesWP-Forms-Connector.php:2131
actionadmin_initWP-Forms-Connector.php:2132
actionrest_api_initWP-Forms-Connector.php:2193
actionrest_api_initWP-Forms-Connector.php:2291
Maintenance & Trust

WP Forms Connector Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 4, 2025
PHP min version7.2
Downloads1K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

WP Forms Connector Alternatives

Database Addon for Contact Form 7 – CFDB7

Database Addon for Contact Form 7 – CFDB7

contact-form-cfdb7

A
90

Save and manage Contact Form 7 messages. Never lose important data. It is a lightweight contact form 7 database plugin.

600K 7 CVEs
Bootstrap for Contact Form 7

Bootstrap for Contact Form 7

bootstrap-for-contact-form-7

A
85

This plugin modifies the output of the popular Contact Form 7 plugin to be styled in compliance with themes using the Bootstrap CSS framework.

10K No CVEs
Contact Form to Any API

Contact Form to Any API

contact-form-to-any-api

A
93

Send Contact Form 7 submissions to any API, Webhook or CRM - quick setup, flexible payloads, endpoints and authentication.

9K 4 CVEs
Contact Form 7: Accessible Defaults

Contact Form 7: Accessible Defaults

contact-form-7-accessible-defaults

A
100

Replaces the default Contact Form 7 form with an accessible equivalent and provides a suite of selectable base forms.

5K No CVEs
Date Picker For Contact Form 7

Date Picker For Contact Form 7

date-picker-for-contact-form-7

A
100

Easily add a customizable Date Picker to Contact Form 7. Restrict dates, disable specific days, and improve your booking forms.

4K No CVEs
Developer Profile

WP Forms Connector Developer Profile

Appy Pie

4 plugins · 60 total installs

88
trust score
Avg Security Score
91/100
Avg Patch Time
28 days
View full developer profile
Detection Fingerprints

How We Detect WP Forms Connector

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-forms-connector/assets/css/admin-style.css

HTML / DOM Fingerprints

CSS Classes
wrapicon32
Data Attributes
class="row-title"
FAQ

Frequently Asked Questions about WP Forms Connector