Plugin inspection:

WordPress Form Manager

Potentially unsafe

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should very carefully consider its potential problems and should conduct a thorough assessment. Read more about this recommendation.


This recommendation applies to version 1.6.41 of this plugin, but the most recent version is 1.7.2. These findings may no longer be correct.


This plugin does not escape SQL. There are several likely vectors for local file inclusion. It outputs errors during normal execution. This plugin contains a PHP file that needs to be accessed directly (as opposed to using /wp-admin/admin-ajax.php), which will require whitelisting in hardened environments where access to PHP files outside of WordPress core has been disabled.

Reason for the 'Potentially unsafe' result

The plugin contains or is likely to contain a vulnerability which could be exploited by an end user and which would compromise the site’s confidentiality, integrity or availability:

There are several include statements which seem very likely to contain LFI vulnerabilities.

Failure criteria

  • Lack of input sanitisation
  • Execution of unprepared SQL statements
  • Unsafe file or network IO
  • Very large codebase

Read more about our failure criteria.