Plugin inspection:

FormGet Contact Form

No issues found

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

We didn't find anything worrying in this plugin. It's probably safe. Read more about this recommendation.


This recommendation applies to version 5.3.5 of this plugin, but the most recent version is 5.3.6. These findings may no longer be correct.


  • Note that this plugin appears to be a wrapper for rather than doing the work purely within WordPress
    • This may be a compliance issue for organisations with high data security requirements
    • It also means that there may be some functionality which cannot be legally tested by third-parties without permission
  • is loaded in an iframe over an unencrypted HTTP connection in wp-admin
  • assets are loaded over an unencrypted HTTP connection when displayed to the user, at least when using http:// URLs to access the site in question – this appears to switch to HTTPS when the site is accessed via https:// URLs

Failure criteria

  • Unsafe file or network IO

Read more about our failure criteria.