Plugin inspection:

File Upload Types by WPForms

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.


This recommendation applies to version 1.2.2 of this plugin, but the most recent version is 1.4.0. These findings may no longer be correct.


This plugin is based on using standard WordPress hooks and filters. There are no issues found from a basic inspection of the plugin.

As the plugin can potentially allow any filetype (according to settings), consider potential trust/security issues with allowing especially filetypes that are more dynamic or executable. For example, HTML may include JavaScript.

The plugin settings are in the Settings menu, so available to any role that can access this (administrators by default).

Reason for the 'Use with caution' result

The plugin has been given this recommendation at the tester's discretion:

By its nature this plugin usefully enables adding files of any type to the WordPress media folders, according to the customisable settings. Therefore, the onus is on the plugin user to control which types of files can be added , with caution for more dynamic types such as HTML with JavaScript. They should also consider which users have the administrative access to modify these settings.