WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite · by smub · wordpress.org ↗ · SVN ↗

Acquired by Awesome Motive. Previously owned by WPForms. New committers from that team's naming convention are expected and will not fire takeover events. source ↗

Active installs: 6M+
Current version: 1.10.0.4
Added: 2016-03-14
Last updated: 2026-04-10 (21d ago)
First seen by beacon: 10d ago
Total downloads: 325,980,841

Alerts (0)

No open alerts.

Show 2 resolved alerts

Critical code_pattern Resolved · no_longer_matches 2026-04-24 15:56:44 (7d ago)

Slug	wpforms-lite
Pattern	`unserialize_after_remote_call`
Kind	`builtin`
Version	`1.10.0.4`
Hit count	3
First hit	File vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer.php Line 71 Snippet L71: return \unserialize(\file_get_contents($file)); → L71: return \unserialize(\file_get_contents($file));
Explanation	a remote HTTP fetch (`wp_remote_*`/`curl_exec`) is followed by `unserialize`/`maybe_unserialize` within the same file — classic PHP Object Injection C2 gadget used by EP and most WP supply-chain backdoors. Legit plugins essentially never do this.

View raw JSON

{
    "slug": "wpforms-lite",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "1.10.0.4",
    "hit_count": 3,
    "first_hit": {
        "file": "vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer.php",
        "line": 71,
        "snippet": "L71: return \\unserialize(\\file_get_contents($file));  \u2192  L71: return \\unserialize(\\file_get_contents($file));"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*`/`curl_exec`) is followed by `unserialize`/`maybe_unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget used by EP and most WP supply-chain backdoors. Legit plugins essentially never do this."
}

Critical code_scan_delta Resolved · fp_vendored_library_local_cache 2026-04-24 15:33:57 (7d ago)

Slug wpforms-lite

Previous version 1.10.0.4

Current version 1.10.0.4

New findings

Pattern	Kind	File	Line	Snippet	Confidence
`unserialize_after_remote_call`	`builtin`	vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer.php	71	L71: return \unserialize(\file_get_contents($file)); → L71: return \unserialize(\file_get_contents($file));	`high`
`unserialize_after_remote_call`	`builtin`	`vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/ConfigSchema.php`	69	L68: $contents = \file_get_contents(\WPForms\Vendor\HTMLPURIFIER_PREFIX . '/HTMLPurifie → L69: $r = \unserialize($contents);	`high`
`unserialize_after_remote_call`	`builtin`	`vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/EntityLookup.php`	27	L27: $this->table = \unserialize(\file_get_contents($file)); → L27: $this->table = \unserialize(\file_get_contents($file));	`high`

New finding count 3

View raw JSON

{
    "slug": "wpforms-lite",
    "previous_version": "1.10.0.4",
    "current_version": "1.10.0.4",
    "new_findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer.php",
            "line": 71,
            "snippet": "L71: return \\unserialize(\\file_get_contents($file));  \u2192  L71: return \\unserialize(\\file_get_contents($file));",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/ConfigSchema.php",
            "line": 69,
            "snippet": "L68: $contents = \\file_get_contents(\\WPForms\\Vendor\\HTMLPURIFIER_PREFIX . '/HTMLPurifie  \u2192  L69: $r = \\unserialize($contents);",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/EntityLookup.php",
            "line": 27,
            "snippet": "L27: $this->table = \\unserialize(\\file_get_contents($file));  \u2192  L27: $this->table = \\unserialize(\\file_get_contents($file));",
            "confidence": "high"
        }
    ],
    "new_finding_count": 3
}

SVN committers (6)

Accounts with actual commit access to wpforms-lite on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer	Member since	Commits	First commit	Latest commit
Jared Atchison	2009-09-08	68	2016-03-14 · r1370890	2020-03-05 · r2255103
Slava Abakumov	2008-11-01	66	2020-03-19 · r2263904	2023-12-13 · r3009482
Dimitris Mitsis	2015-02-04	55	2023-11-28 · r3002704	2026-04-10 · r3503351
jrfoell	2011-02-23	10	2024-01-16 · r3022357	2024-10-28 · r3177115
plugin-master	2007-03-09	1	2016-03-14 · r1370810	2016-03-14 · r1370810
Syed Balkhi	2008-06-22	1	2016-12-10 · r1551159	2018-10-27 · r1964009

Readme contributors (3)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor	Member since	SVN access	Status
Slava Abakumov	2008-11-01	66 commits	Active
Syed Balkhi	2008-06-22	1 commits	Active
WPForms	2015-11-19	—	Active

Versions (100 most recent)

Version	Released	Download
1.10.0.4	2026-04-10 · 21d ago	zip
1.10.0.3	2026-04-08 · 24d ago	zip
1.10.0.2	2026-03-26 · 1mo ago	zip
1.10.0.1	2026-03-19 · 1mo ago	zip
1.9.9.4	2026-03-03 · 2mo ago	zip
1.9.9.3	2026-02-24 · 2mo ago	zip
1.9.9.2	2026-01-29 · 3mo ago	zip
1.9.8.7	2025-12-11 · 4mo ago	zip
1.9.8.4	2025-11-06 · 5mo ago	zip
1.9.8.2	2025-10-14 · 6mo ago	zip
1.9.8.1	2025-09-25 · 7mo ago	zip
1.9.7.3	2025-08-11 · 8mo ago	zip
1.9.7.2	2025-08-07 · 8mo ago	zip
1.9.7.1	2025-07-31 · 9mo ago	zip
1.9.6.2	2025-07-08 · 9mo ago	zip
1.9.6.1	2025-06-17 · 10mo ago	zip
1.9.6	2025-06-05 · 11mo ago	zip
1.9.5.2	2025-05-05 · 12mo ago	zip
1.9.5.1	2025-04-29 · 1y ago	zip
1.9.5	2025-04-24 · 1y ago	zip
1.9.4.2	2025-03-12 · 1y ago	zip
1.9.4.1	2025-02-27 · 1y ago	zip
1.9.3.2	2025-01-28 · 1y ago	zip
1.9.3.1	2025-01-16 · 1y ago	zip
1.9.2.3	2024-12-03 · 1y ago	zip
1.9.2.2	2024-11-18 · 1y ago	zip
1.9.2.1	2024-11-07 · 1y ago	zip
1.9.1.6	2024-10-28 · 1y ago	zip
1.9.1.5	2024-10-23 · 1y ago	zip
1.9.1.4	2024-10-17 · 1y ago	zip
1.9.1.3	2024-10-02 · 1y ago	zip
1.9.1.2	2024-09-27 · 1y ago	zip
1.9.1.1	2024-09-26 · 1y ago	zip
1.9.0.4	2024-08-23 · 1y ago	zip
1.9.0.3	2024-08-20 · 1y ago	zip
1.9.0.2	2024-08-13 · 1y ago	zip
1.9.0.1	2024-08-08 · 1y ago	zip
1.8.9.6	2024-07-09 · 1y ago	zip
1.8.9.5	2024-07-03 · 1y ago	zip
1.8.9.4	2024-06-27 · 1y ago	zip
1.8.9.2	2024-06-18 · 1y ago	zip
1.8.9.1	2024-06-13 · 1y ago	zip
1.8.8.3	2024-04-26 · 2y ago	zip
1.8.8.2	2024-04-23 · 2y ago	zip
1.8.7.2	2024-02-29 · 2y ago	zip
1.8.6.4	2024-01-31 · 2y ago	zip
1.8.6.3	2024-01-19 · 2y ago	zip
1.8.6.2	2024-01-16 · 2y ago	zip
1.8.5.4	2023-12-27 · 2y ago	zip
1.8.5.3	2023-12-13 · 2y ago	zip
1.8.5.2	2023-11-28 · 2y ago	zip
1.8.4.1	2023-10-24 · 2y ago	zip
1.8.4	2023-09-28 · 2y ago	zip
1.7.9	2023-08-11 · 2y ago	zip
1.8.3	2023-08-11 · 2y ago	zip
1.7.9.1	2023-08-11 · 2y ago	zip
1.8.0.1	2023-08-11 · 2y ago	zip
1.8.0.2	2023-08-11 · 2y ago	zip
1.8.1.1	2023-08-11 · 2y ago	zip
1.8.1.2	2023-08-11 · 2y ago	zip
1.8.1.3	2023-08-11 · 2y ago	zip
1.8.2.2	2023-08-11 · 2y ago	zip
1.8.2.3	2023-08-11 · 2y ago	zip
1.8.3.1	2023-08-11 · 2y ago	zip
1.8.2.1	2023-06-07 · 2y ago	zip
1.7.8	2022-11-10 · 3y ago	zip
1.7.7.2	2022-10-12 · 3y ago	zip
1.7.7.1	2022-10-05 · 3y ago	zip
1.7.7	2022-09-29 · 3y ago	zip
1.7.6	2022-09-08 · 3y ago	zip
1.7.5.5	2022-07-28 · 3y ago	zip
1.7.5.3	2022-07-19 · 3y ago	zip
1.7.5.2	2022-07-15 · 3y ago	zip
1.7.5.1	2022-06-30 · 3y ago	zip
1.7.4.2	2022-05-19 · 3y ago	zip
1.7.4.1	2022-05-05 · 3y ago	zip
1.7.4	2022-04-28 · 4y ago	zip
1.7.3	2022-03-17 · 4y ago	zip
1.7.2.1	2022-02-05 · 4y ago	zip
1.7.2	2022-01-06 · 4y ago	zip
1.7.1.2	2021-11-18 · 4y ago	zip
1.7.1.1	2021-11-11 · 4y ago	zip
1.7.0	2021-10-07 · 4y ago	zip
1.6.9	2021-08-26 · 4y ago	zip
1.6.8.1	2021-07-21 · 4y ago	zip
1.6.8	2021-07-15 · 4y ago	zip
1.6.7.3	2021-07-02 · 4y ago	zip
1.6.7.2	2021-06-25 · 4y ago	zip
1.6.7.1	2021-06-15 · 4y ago	zip
1.6.7	2021-05-13 · 4y ago	zip
1.6.6	2021-04-01 · 5y ago	zip
1.6.5	2021-02-18 · 5y ago	zip
1.6.4.1	2020-12-28 · 5y ago	zip
1.6.4	2020-12-17 · 5y ago	zip
1.6.3.1	2020-10-21 · 5y ago	zip
1.6.2.3	2020-09-10 · 5y ago	zip
1.6.2.2	2020-08-11 · 5y ago	zip
1.6.1	2020-06-25 · 5y ago	zip
1.6.0.2	2020-05-21 · 5y ago	zip
1.6.0.1	2020-04-21 · 6y ago	zip