WPEForm Lite – Drag and Drop Live Form Builder for Contact, Payment & Quiz Forms Security & Risk Analysis

Drag and Drop Live Form Builder with landing page, cost estimation, quizzes, personality tests, surveys, data collection and user feedback of all kind

40 active installs v1.6.5 PHP 7.1+ WP 5.4+ Updated Jul 6, 2023

drag-and-drop-formlive-form-builderpayment-formpersonality-quizsurvey

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is WPEForm Lite – Drag and Drop Live Form Builder for Contact, Payment & Quiz Forms Safe to Use in 2026?

Generally Safe

Score 85/100

WPEForm Lite – Drag and Drop Live Form Builder for Contact, Payment & Quiz Forms has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2yr ago

Risk Assessment

The "wpeform-lite" plugin v1.6.5 demonstrates a generally good security posture, with no known CVEs and a significant majority of SQL queries using prepared statements. The absence of exposed AJAX handlers, REST API routes, shortcodes, and cron events without authentication significantly reduces its attack surface. However, the static analysis reveals several areas for concern that could introduce vulnerabilities. The most notable is the extremely low rate of proper output escaping (5%), indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities if user-supplied data is displayed without adequate sanitization. Additionally, the presence of a single file operation without further context is a potential risk, especially if it involves user input or handles sensitive files. The taint analysis did flag one flow with an unsanitized path, which, while not classified as critical or high severity, still warrants attention as it represents a potential avenue for file system traversal or other path-related attacks.

While the plugin has no recorded vulnerability history, this does not guarantee future security. The identified weaknesses, particularly the output escaping and the single unsanitized path flow, are common entry points for attackers. The lack of nonce and capability checks on any of the identified entry points (although there are none exposed directly) is a theoretical concern that could become relevant if new entry points are added in future versions. The bundled Freemius and TinyMCE libraries are also potential risks if they are outdated or contain known vulnerabilities, though no specific version issues are highlighted in the provided data. In conclusion, "wpeform-lite" v1.6.5 is not overtly vulnerable based on known history and the absence of critical code signals. However, the poor output escaping and the unsanitized path flow represent significant, actionable risks that should be addressed to improve its overall security.

Key Concerns

Low output escaping rate
Taint flow with unsanitized path
Potential risk with file operations
Bundled Freemius v1.0 library (potentially outdated)
Bundled TinyMCE library (potentially outdated)

Vulnerabilities

None known

WPEForm Lite – Drag and Drop Live Form Builder for Contact, Payment & Quiz Forms Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

WPEForm Lite – Drag and Drop Live Form Builder for Contact, Payment & Quiz Forms Code Analysis

Dangerous Functions

Raw SQL Queries

127 prepared

Unescaped Output

118

6 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Freemius1.0TinyMCE

SQL Query Safety

95% prepared134 total queries

Output Escaping

5% escaped124 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths

<Helper> (inc\GraphQL\Server\Helper.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WPEForm Lite – Drag and Drop Live Form Builder for Contact, Payment & Quiz Forms Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 9

filtermce_buttonsinc\Editor\Shortcode.php:92

filtermce_external_pluginsinc\Editor\Shortcode.php:93

filterquery_varsinc\System\Endpoints.php:172

actiontemplate_redirectinc\System\Endpoints.php:173

filtershow_first_trial_after_n_secinc\System\Init.php:448

filterreshow_trial_after_every_n_secinc\System\Init.php:454

filterfreemius_pricing_js_pathinc\System\Init.php:463

filterplugin_iconinc\System\Init.php:472

actionafter_uninstallinc\System\Init.php:480

Maintenance & Trust

WPEForm Lite – Drag and Drop Live Form Builder for Contact, Payment & Quiz Forms Maintenance & Trust

Maintenance Signals

WordPress version tested6.3.8

Last updatedJul 6, 2023

PHP min version7.1

Downloads3K

Community Trust

Rating100/100

Number of ratings1

Active installs40

Alternatives

WPEForm Lite – Drag and Drop Live Form Builder for Contact, Payment & Quiz Forms Alternatives

Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

formidable

The most advanced WordPress forms plugin. Go beyond contact forms with our drag and drop form builder for surveys, quizzes, and more.

300K 23 CVEs

Easy Form Builder by WhiteStudio — Drag & Drop Form Builder

easy-form-builder

Create flexible contact forms, survey forms, payment forms, and user authentication forms using a drag-and-drop form builder plugin for WordPress.

2K 1 unpatched

FormGent – Next-Gen AI Form Builder for WordPress with Multi-Step, Quizzes, Payments & More

formgent

AI-powered form builder that’s built for performance, simplicity, and feels like a part of WordPress, not a separate platform.

1K 1 unpatched

Forminator Forms – Contact Form, Payment Form & Custom Form Builder

forminator

Best WordPress form builder plugin. Create contact forms, payment forms & order forms with 1000+ integrations.

600K 36 CVEs

SureForms – Contact Form, Payment Form & Other Custom Form Builder

sureforms

The most beginner-friendly, AI Form Builder for WordPress to create contact forms, payment forms & other custom forms with advanced features, with …

400K 15 CVEs

Developer Profile

WPEForm Lite – Drag and Drop Live Form Builder for Contact, Payment & Quiz Forms Developer Profile

Swashata Ghosh

2 plugins · 50 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect WPEForm Lite – Drag and Drop Live Form Builder for Contact, Payment & Quiz Forms

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wpeform-lite/assets/css/admin-style.css/wp-content/plugins/wpeform-lite/assets/css/style.css/wp-content/plugins/wpeform-lite/assets/js/frontend.js/wp-content/plugins/wpeform-lite/assets/js/admin.js

Script Paths

/wp-content/plugins/wpeform-lite/assets/js/frontend.js/wp-content/plugins/wpeform-lite/assets/js/admin.js

Version Parameters

wpeform-lite/assets/css/admin-style.css?ver=wpeform-lite/assets/css/style.css?ver=wpeform-lite/assets/js/frontend.js?ver=wpeform-lite/assets/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

wpeform-form-builder-wrapperwpeform-form-renderwpeform-admin-wrapwpeform-frontend-form

HTML Comments

Copyright Swashata Ghosh - WPQuark <swashata@wpquark.com>, 2019-2021The PHP, JS, CSS and any other code and integrated HTML are licensed underthe GPL license as is WordPress itself. You will find a copy of the licensetext in the same directory as this text file. Or you can read it here:+21 more

Data Attributes

data-wpeform-element-typedata-wpeform-form-id

JS Globals

wpeform_params

REST Endpoints

/wp-json/wpeform/v1/form

Shortcode Output

[wpeform

FAQ