WP-Safety

WP Subscription Forms – Subscription Form Plugin for WordPress Security & Risk Analysis

wordpress.org/plugins/wp-subscription-forms

Create unlimited subscription forms effortlessly with our user-friendly tool. Collect subscribers directly in WP Backend and export them to CSV.

500 active installs v1.2.5 PHP 7.0.0+ WP 6.0+ Updated Dec 8, 2025
formsubscribesubscribe-formsubscriptionsubscription-forms
96
A · Safe
CVEs total3
Unpatched0
Last CVEApr 16, 2025
Plugin page Download
Safety Verdict

Is WP Subscription Forms – Subscription Form Plugin for WordPress Safe to Use in 2026?

Generally Safe

Score 96/100

WP Subscription Forms – Subscription Form Plugin for WordPress has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Apr 16, 2025Updated 3mo ago
Risk Assessment

The "wp-subscription-forms" v1.2.5 plugin exhibits a concerning security posture despite some positive code practices. While the plugin shows a decent percentage of SQL queries using prepared statements and a reasonable rate of output escaping, the static analysis reveals significant vulnerabilities. A large attack surface, with 10 out of 11 entry points lacking authorization checks, is a major concern. Furthermore, the taint analysis indicates 8 critical flows with unsanitized paths, suggesting potential for severe exploits like Remote Code Execution or SQL Injection. The plugin's vulnerability history, including 3 known CVEs with a past high-severity SQL Injection and PHP Remote File Inclusion, reinforces these concerns. These historical patterns, combined with the current code signals, suggest a recurring weakness in secure coding practices, particularly around input validation and authorization.

Key Concerns

  • High number of AJAX handlers without auth checks
  • High severity taint flows with unsanitized paths
  • Multiple past CVEs with critical/high severity
  • Past PHP Remote File Inclusion vulnerability
  • Past SQL Injection vulnerability
  • Low number of capability checks relative to entry points
  • Only 5 nonce checks for 10 unprotected AJAX handlers
Vulnerabilities
3

WP Subscription Forms – Subscription Form Plugin for WordPress Security Vulnerabilities

CVEs by Year

3 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
2

3 total CVEs

CVE-2025-39591medium · 4.3Missing Authorization

WP Subscription Forms <= 1.2.3 - Missing Authorization

Apr 16, 2025 Patched in 1.2.4 (15d)
CVE-2025-32692high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

WP Subscription Forms <= 1.2.4 - Authenticated (Contributor+) Local File Inclusion

Apr 9, 2025 Patched in 1.2.5 (8d)
CVE-2025-30784medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Subscription Forms <= 1.2.3 - Authenticated (Contributor+) SQL Injection

Mar 27, 2025 Patched in 1.2.4 (8d)
Code Analysis
Analyzed Mar 16, 2026

WP Subscription Forms – Subscription Form Plugin for WordPress Code Analysis

Dangerous Functions
0
Raw SQL Queries
4
18 prepared
Unescaped Output
63
244 escaped
Nonce Checks
5
Capability Checks
1
File Operations
1
External Requests
0
Bundled Libraries
0

SQL Query Safety

82% prepared22 total queries

Output Escaping

79% escaped307 total outputs
Data Flows
8 unsanitized

Data Flow Analysis

10 flows8 with unsanitized paths
get_subscriber_csv_rows (inc\classes\class-wpsf-admin.php:91)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
10 unprotected

WP Subscription Forms – Subscription Form Plugin for WordPress Attack Surface

Entry Points11
Unprotected10

AJAX Handlers 10

authwp_ajax_wpsf_form_save_actioninc\classes\class-wpsf-ajax-admin.php:15
noprivwp_ajax_wpsf_form_save_actioninc\classes\class-wpsf-ajax-admin.php:16
authwp_ajax_wpsf_form_delete_actioninc\classes\class-wpsf-ajax-admin.php:22
noprivwp_ajax_wpsf_form_delete_actioninc\classes\class-wpsf-ajax-admin.php:23
authwp_ajax_wpsf_form_copy_actioninc\classes\class-wpsf-ajax-admin.php:29
noprivwp_ajax_wpsf_form_copy_actioninc\classes\class-wpsf-ajax-admin.php:30
authwp_ajax_wpsf_subscriber_delete_actioninc\classes\class-wpsf-ajax-admin.php:37
noprivwp_ajax_wpsf_subscriber_delete_actioninc\classes\class-wpsf-ajax-admin.php:38
authwp_ajax_wpsf_form_process_actioninc\classes\class-wpsf-ajax.php:12
noprivwp_ajax_wpsf_form_process_actioninc\classes\class-wpsf-ajax.php:13

Shortcodes 1

[wp_subscription_forms] inc\classes\class-wpsf-shortcode.php:9
WordPress Hooks 13
actionadmin_menuinc\classes\class-wpsf-admin.php:9
actionadmin_footerinc\classes\class-wpsf-admin.php:10
actionadmin_post_wpsf_export_csvinc\classes\class-wpsf-admin.php:14
actionwp_enqueue_scriptsinc\classes\class-wpsf-enqueue.php:9
actionadmin_enqueue_scriptsinc\classes\class-wpsf-enqueue.php:10
actiontemplate_redirectinc\classes\class-wpsf-hooks.php:8
actiontemplate_redirectinc\classes\class-wpsf-hooks.php:9
actionwp_footerinc\classes\class-wpsf-hooks.php:10
actioninitinc\classes\class-wpsf-init.php:9
actionadmin_initinc\classes\class-wpsf-review.php:6
actionadmin_post_wpsf_hide_review_noticeinc\classes\class-wpsf-review.php:7
actionadmin_noticesinc\classes\class-wpsf-review.php:22
actionwidgets_initinc\classes\class-wpsf-widget.php:13
Maintenance & Trust

WP Subscription Forms – Subscription Form Plugin for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 8, 2025
PHP min version7.0.0
Downloads15K

Community Trust

Rating100/100
Number of ratings1
Active installs500
Alternatives

WP Subscription Forms – Subscription Form Plugin for WordPress Alternatives

Subscription Widget for SendGrid

Subscription Widget for SendGrid

subscription-widget-for-sendgrid

A
100

SG Widget is a Sendgrid Subscription Widget for collecting emails. Just add a shortcode to capture emails and store them in your Sendgrid Account.

0 No CVEs
Contact Form & SMTP Plugin for WordPress by PirateForms

Contact Form & SMTP Plugin for WordPress by PirateForms

pirate-forms

A
87

A simple and effective WordPress contact form & SMTP plugin. Compatible with best themes out there, is both a secure and responsive contact form p &hellip;

30K 4 CVEs
JetWidgets For Elementor

JetWidgets For Elementor

jetwidgets-for-elementor

A
95

Addon for Elementor Page builder. It provides the set of widgets to create different kinds of content like pricing tables, posts lists, banners, etc.

10K 8 CVEs
MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder

MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder

mailchimp-subscribe-sm

A
96

MailChimp Subscribe Form allows you to create Beautiful Professional looking Subscribe Forms, Popups, bars & full page optins easily in less than &hellip;

3K 5 CVEs
Subscriber by BestWebSoft

Subscriber by BestWebSoft

subscriber

A
100

Add email newsletter sign up form to WordPress posts, pages, and widgets. Collect data and subscribe your users.

1K 1 CVE
Developer Profile

WP Subscription Forms – Subscription Form Plugin for WordPress Developer Profile

WP Shuffle

8 plugins · 4K total installs

99
trust score
Avg Security Score
98/100
Avg Patch Time
7 days
View full developer profile
Detection Fingerprints

How We Detect WP Subscription Forms – Subscription Form Plugin for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-subscription-forms/css/wpsf-frontend.css/wp-content/plugins/wp-subscription-forms/css/wpsf-frontend-rtl.css/wp-content/plugins/wp-subscription-forms/fontawesome/css/all.min.css/wp-content/plugins/wp-subscription-forms/js/wpsf-frontend.js/wp-content/plugins/wp-subscription-forms/css/wpsf-preview.css/wp-content/plugins/wp-subscription-forms/css/wpsf-backend.css/wp-content/plugins/wp-subscription-forms/js/wpsf-backend.js
Script Paths
/wp-content/plugins/wp-subscription-forms/js/wpsf-frontend.js/wp-content/plugins/wp-subscription-forms/js/wpsf-backend.js
Version Parameters
wp-subscription-forms/css/wpsf-frontend.css?ver=wp-subscription-forms/fontawesome/css/all.min.css?ver=wp-subscription-forms/js/wpsf-frontend.js?ver=wp-subscription-forms/css/wpsf-preview.css?ver=wp-subscription-forms/css/wpsf-backend.css?ver=wp-subscription-forms/js/wpsf-backend.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpsf-formwpsf-subscribe-form
HTML Comments
<!-- Start WPSF Subscription Form --><!-- End WPSF Subscription Form --><!-- WPSF Frontend Form -->
Data Attributes
data-wpsf-form-id
JS Globals
wpsf_frontend_objwpsf_backend_obj
Shortcode Output
[wpsf_form[wpsf_subscribe_form
FAQ

Frequently Asked Questions about WP Subscription Forms – Subscription Form Plugin for WordPress