WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite · by smub · wordpress.org ↗ · SVN ↗

Acquired by Awesome Motive. Previously owned by WPForms. New committers from that team's naming convention are expected and will not fire takeover events. source ↗

Active installs: 6M+
Current version: 1.10.0.4
Added: 2016-03-14
Last updated: 2026-04-10 (1mo ago)
First seen by beacon: 1mo ago
Total downloads: 326,152,584

Alerts (0)

No open alerts.

Show 3 resolved alerts

Medium code_scan_match Resolved · fp:overgeneric_ioc 2026-05-02 22:48:37 (19d ago)

Slug wpforms-lite

Finding count 11

Findings

Pattern	Kind	File	Line	Snippet	Confidence
`base64_decode`	`builtin`	`includes/class-process.php`	1,348	`$query_args = base64_decode( $hash );`	`medium`
`eval_call`	`builtin`	`vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/VarParser/Native.php`	30	`$result = eval("\$var = {$expr};");`	`medium`
`eval_call`	`builtin`	vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/ConfigSchema/InterchangeBuilder.php	157	`return eval('return array(' . $contents . ');');`	`medium`
`base64_decode`	`builtin`	`vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/URIScheme/data.php`	81	`$raw_data = \base64_decode($data);`	`medium`
`base64_decode`	`builtin`	`src/Tasks/Meta.php`	227	`$decoded = base64_decode( $meta->data );`	`medium`
`base64_decode`	`builtin`	`src/Helpers/Crypto.php`	27	return base64_decode( $secret_key ); // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_decode	`medium`
`base64_decode`	`builtin`	`src/Helpers/Crypto.php`	91	$decoded = base64_decode( (string) $encrypted ); // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_decode	`medium`
`Upgrade`	`ioc:changelog_phrase`	`readme.txt`	162	You can see why WPForms is the best WordPress contact form plugin on the market! Want to unlock these features? [Upgrade to our Pro version](https://wpforms.com/?utm_source=wprepo&utm_medium=link&utm_	`low`
`Upgrade`	`ioc:changelog_phrase`	`readme.txt`	541	- IMPORTANT: Support for PHP 7.1 has been discontinued. If you are running PHP 7.1, you MUST upgrade PHP before installing WPForms 1.9.5. Failure to do that will disable WPForms core functionality.	`low`
`Upgrade`	`ioc:changelog_phrase`	`readme.txt`	599	- IMPORTANT: Support for PHP 7.0 has been discontinued. If you are running PHP 7.0, you MUST upgrade PHP before installing WPForms 1.9.3. Failure to do that will disable WPForms core functionality.	`low`
`Upgrade`	`ioc:changelog_phrase`	`readme.txt`	821	`- Fixed: Upgrade to the Pro link had wrong styling on Bluehost hosted sites.`	`low`

Triage note 2026 05 03 wpforms-lite: base64_decode + eval matches in vendored ezyang/htmlpurifier library + Crypto helpers. WPForms is well-known form plugin.

View raw JSON

{
    "slug": "wpforms-lite",
    "finding_count": 11,
    "findings": [
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "includes/class-process.php",
            "line": 1348,
            "snippet": "$query_args = base64_decode( $hash );",
            "confidence": "medium"
        },
        {
            "pattern": "eval_call",
            "kind": "builtin",
            "file": "vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/VarParser/Native.php",
            "line": 30,
            "snippet": "$result = eval(\"\\$var = {$expr};\");",
            "confidence": "medium"
        },
        {
            "pattern": "eval_call",
            "kind": "builtin",
            "file": "vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/ConfigSchema/InterchangeBuilder.php",
            "line": 157,
            "snippet": "return eval('return array(' . $contents . ');');",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/URIScheme/data.php",
            "line": 81,
            "snippet": "$raw_data = \\base64_decode($data);",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "src/Tasks/Meta.php",
            "line": 227,
            "snippet": "$decoded = base64_decode( $meta->data );",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "src/Helpers/Crypto.php",
            "line": 27,
            "snippet": "return base64_decode( $secret_key ); // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_decode",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "src/Helpers/Crypto.php",
            "line": 91,
            "snippet": "$decoded = base64_decode( (string) $encrypted ); // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_decode",
            "confidence": "medium"
        },
        {
            "pattern": "Upgrade",
            "kind": "ioc:changelog_phrase",
            "file": "readme.txt",
            "line": 162,
            "snippet": "You can see why WPForms is the best WordPress contact form plugin on the market! Want to unlock these features? [Upgrade to our Pro version](https://wpforms.com/?utm_source=wprepo&utm_medium=link&utm_",
            "confidence": "low"
        },
        {
            "pattern": "Upgrade",
            "kind": "ioc:changelog_phrase",
            "file": "readme.txt",
            "line": 541,
            "snippet": "- IMPORTANT: Support for PHP 7.1 has been discontinued. If you are running PHP 7.1, you MUST upgrade PHP before installing WPForms 1.9.5. Failure to do that will disable WPForms core functionality.",
            "confidence": "low"
        },
        {
            "pattern": "Upgrade",
            "kind": "ioc:changelog_phrase",
            "file": "readme.txt",
            "line": 599,
            "snippet": "- IMPORTANT: Support for PHP 7.0 has been discontinued. If you are running PHP 7.0, you MUST upgrade PHP before installing WPForms 1.9.3. Failure to do that will disable WPForms core functionality.",
            "confidence": "low"
        },
        {
            "pattern": "Upgrade",
            "kind": "ioc:changelog_phrase",
            "file": "readme.txt",
            "line": 821,
            "snippet": "- Fixed: Upgrade to the Pro link had wrong styling on Bluehost hosted sites.",
            "confidence": "low"
        }
    ],
    "triage_note_2026_05_03": "wpforms-lite: base64_decode + eval matches in vendored ezyang/htmlpurifier library + Crypto helpers. WPForms is well-known form plugin."
}

Critical code_pattern Resolved · no_longer_matches 2026-04-24 15:56:44 (28d ago)

Slug	wpforms-lite
Pattern	`unserialize_after_remote_call`
Kind	`builtin`
Version	`1.10.0.4`
Hit count	3
First hit	File vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer.php Line 71 Snippet L71: return \unserialize(\file_get_contents($file)); → L71: return \unserialize(\file_get_contents($file));
Explanation	a remote HTTP fetch (`wp_remote_*`/`curl_exec`) is followed by `unserialize`/`maybe_unserialize` within the same file — classic PHP Object Injection C2 gadget used by EP and most WP supply-chain backdoors. Legit plugins essentially never do this.

View raw JSON

{
    "slug": "wpforms-lite",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "1.10.0.4",
    "hit_count": 3,
    "first_hit": {
        "file": "vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer.php",
        "line": 71,
        "snippet": "L71: return \\unserialize(\\file_get_contents($file));  \u2192  L71: return \\unserialize(\\file_get_contents($file));"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*`/`curl_exec`) is followed by `unserialize`/`maybe_unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget used by EP and most WP supply-chain backdoors. Legit plugins essentially never do this."
}

Critical code_scan_delta Resolved · fp_vendored_library_local_cache 2026-04-24 15:33:57 (28d ago)

Slug wpforms-lite

Previous version 1.10.0.4

Current version 1.10.0.4

New findings

Pattern	Kind	File	Line	Snippet	Confidence
`unserialize_after_remote_call`	`builtin`	vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer.php	71	L71: return \unserialize(\file_get_contents($file)); → L71: return \unserialize(\file_get_contents($file));	`high`
`unserialize_after_remote_call`	`builtin`	`vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/ConfigSchema.php`	69	L68: $contents = \file_get_contents(\WPForms\Vendor\HTMLPURIFIER_PREFIX . '/HTMLPurifie → L69: $r = \unserialize($contents);	`high`
`unserialize_after_remote_call`	`builtin`	`vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/EntityLookup.php`	27	L27: $this->table = \unserialize(\file_get_contents($file)); → L27: $this->table = \unserialize(\file_get_contents($file));	`high`

New finding count 3

View raw JSON

{
    "slug": "wpforms-lite",
    "previous_version": "1.10.0.4",
    "current_version": "1.10.0.4",
    "new_findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer.php",
            "line": 71,
            "snippet": "L71: return \\unserialize(\\file_get_contents($file));  \u2192  L71: return \\unserialize(\\file_get_contents($file));",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/ConfigSchema.php",
            "line": 69,
            "snippet": "L68: $contents = \\file_get_contents(\\WPForms\\Vendor\\HTMLPURIFIER_PREFIX . '/HTMLPurifie  \u2192  L69: $r = \\unserialize($contents);",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/EntityLookup.php",
            "line": 27,
            "snippet": "L27: $this->table = \\unserialize(\\file_get_contents($file));  \u2192  L27: $this->table = \\unserialize(\\file_get_contents($file));",
            "confidence": "high"
        }
    ],
    "new_finding_count": 3
}

SVN committers (6)

Accounts with actual commit access to wpforms-lite on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer	Member since	Commits	First commit	Latest commit
Jared Atchison	2009-09-08	68	2016-03-14 · r1370890	2020-03-05 · r2255103
Slava Abakumov	2008-11-01	66	2020-03-19 · r2263904	2023-12-13 · r3009482
Dimitris Mitsis	2015-02-04	55	2023-11-28 · r3002704	2026-04-10 · r3503351
jrfoell	2011-02-23	10	2024-01-16 · r3022357	2024-10-28 · r3177115
plugin-master	2007-03-09	1	2016-03-14 · r1370810	2016-03-14 · r1370810
Syed Balkhi	2008-06-22	1	2016-12-10 · r1551159	2018-10-27 · r1964009

Readme contributors (3)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor	Member since	SVN access	Status
Slava Abakumov	2008-11-01	66 commits	Active
Syed Balkhi	2008-06-22	1 commits	Active
WPForms	2015-11-19	—	Active

Versions (100 most recent)

Version	Released	Download
1.10.0.4	2026-04-10 · 1mo ago	zip
1.10.0.3	2026-04-08 · 1mo ago	zip
1.10.0.2	2026-03-26 · 1mo ago	zip
1.10.0.1	2026-03-19 · 2mo ago	zip
1.9.9.4	2026-03-03 · 2mo ago	zip
1.9.9.3	2026-02-24 · 2mo ago	zip
1.9.9.2	2026-01-29 · 3mo ago	zip
1.9.8.7	2025-12-11 · 5mo ago	zip
1.9.8.4	2025-11-06 · 6mo ago	zip
1.9.8.2	2025-10-14 · 7mo ago	zip
1.9.8.1	2025-09-25 · 7mo ago	zip
1.9.7.3	2025-08-11 · 9mo ago	zip
1.9.7.2	2025-08-07 · 9mo ago	zip
1.9.7.1	2025-07-31 · 9mo ago	zip
1.9.6.2	2025-07-08 · 10mo ago	zip
1.9.6.1	2025-06-17 · 11mo ago	zip
1.9.6	2025-06-05 · 11mo ago	zip
1.9.5.2	2025-05-05 · 1y ago	zip
1.9.5.1	2025-04-29 · 1y ago	zip
1.9.5	2025-04-24 · 1y ago	zip
1.9.4.2	2025-03-12 · 1y ago	zip
1.9.4.1	2025-02-27 · 1y ago	zip
1.9.3.2	2025-01-28 · 1y ago	zip
1.9.3.1	2025-01-16 · 1y ago	zip
1.9.2.3	2024-12-03 · 1y ago	zip
1.9.2.2	2024-11-18 · 1y ago	zip
1.9.2.1	2024-11-07 · 1y ago	zip
1.9.1.6	2024-10-28 · 1y ago	zip
1.9.1.5	2024-10-23 · 1y ago	zip
1.9.1.4	2024-10-17 · 1y ago	zip
1.9.1.3	2024-10-02 · 1y ago	zip
1.9.1.2	2024-09-27 · 1y ago	zip
1.9.1.1	2024-09-26 · 1y ago	zip
1.9.0.4	2024-08-23 · 1y ago	zip
1.9.0.3	2024-08-20 · 1y ago	zip
1.9.0.2	2024-08-13 · 1y ago	zip
1.9.0.1	2024-08-08 · 1y ago	zip
1.8.9.6	2024-07-09 · 1y ago	zip
1.8.9.5	2024-07-03 · 1y ago	zip
1.8.9.4	2024-06-27 · 1y ago	zip
1.8.9.2	2024-06-18 · 1y ago	zip
1.8.9.1	2024-06-13 · 1y ago	zip
1.8.8.3	2024-04-26 · 2y ago	zip
1.8.8.2	2024-04-23 · 2y ago	zip
1.8.7.2	2024-02-29 · 2y ago	zip
1.8.6.4	2024-01-31 · 2y ago	zip
1.8.6.3	2024-01-19 · 2y ago	zip
1.8.6.2	2024-01-16 · 2y ago	zip
1.8.5.4	2023-12-27 · 2y ago	zip
1.8.5.3	2023-12-13 · 2y ago	zip
1.8.5.2	2023-11-28 · 2y ago	zip
1.8.4.1	2023-10-24 · 2y ago	zip
1.8.4	2023-09-28 · 2y ago	zip
1.7.9	2023-08-11 · 2y ago	zip
1.8.3	2023-08-11 · 2y ago	zip
1.7.9.1	2023-08-11 · 2y ago	zip
1.8.0.1	2023-08-11 · 2y ago	zip
1.8.0.2	2023-08-11 · 2y ago	zip
1.8.1.1	2023-08-11 · 2y ago	zip
1.8.1.2	2023-08-11 · 2y ago	zip
1.8.1.3	2023-08-11 · 2y ago	zip
1.8.2.2	2023-08-11 · 2y ago	zip
1.8.2.3	2023-08-11 · 2y ago	zip
1.8.3.1	2023-08-11 · 2y ago	zip
1.8.2.1	2023-06-07 · 2y ago	zip
1.7.8	2022-11-10 · 3y ago	zip
1.7.7.2	2022-10-12 · 3y ago	zip
1.7.7.1	2022-10-05 · 3y ago	zip
1.7.7	2022-09-29 · 3y ago	zip
1.7.6	2022-09-08 · 3y ago	zip
1.7.5.5	2022-07-28 · 3y ago	zip
1.7.5.3	2022-07-19 · 3y ago	zip
1.7.5.2	2022-07-15 · 3y ago	zip
1.7.5.1	2022-06-30 · 3y ago	zip
1.7.4.2	2022-05-19 · 4y ago	zip
1.7.4.1	2022-05-05 · 4y ago	zip
1.7.4	2022-04-28 · 4y ago	zip
1.7.3	2022-03-17 · 4y ago	zip
1.7.2.1	2022-02-05 · 4y ago	zip
1.7.2	2022-01-06 · 4y ago	zip
1.7.1.2	2021-11-18 · 4y ago	zip
1.7.1.1	2021-11-11 · 4y ago	zip
1.7.0	2021-10-07 · 4y ago	zip
1.6.9	2021-08-26 · 4y ago	zip
1.6.8.1	2021-07-21 · 4y ago	zip
1.6.8	2021-07-15 · 4y ago	zip
1.6.7.3	2021-07-02 · 4y ago	zip
1.6.7.2	2021-06-25 · 4y ago	zip
1.6.7.1	2021-06-15 · 4y ago	zip
1.6.7	2021-05-13 · 5y ago	zip
1.6.6	2021-04-01 · 5y ago	zip
1.6.5	2021-02-18 · 5y ago	zip
1.6.4.1	2020-12-28 · 5y ago	zip
1.6.4	2020-12-17 · 5y ago	zip
1.6.3.1	2020-10-21 · 5y ago	zip
1.6.2.3	2020-09-10 · 5y ago	zip
1.6.2.2	2020-08-11 · 5y ago	zip
1.6.1	2020-06-25 · 5y ago	zip
1.6.0.2	2020-05-21 · 6y ago	zip
1.6.0.1	2020-04-21 · 6y ago	zip