Headline
CVE-2022-25601: Contact Form X
Reflected Cross-Site Scripting (XSS) vulnerability affecting parameter &tab discovered in Contact Form X WordPress plugin (versions <= 2.4).
- Details
- Reviews
- Installation
- Support
- Development
Displays a user-friendly contact form that your visitors will love.
CFX: Contact form reinvented. Fast and friendly. Fresh and clean. Awesome for everyone 🙂
Overview
Install, activate, and then display the form anywhere, using the widget, shortcode, or template tag. Here is an overview of Contact Form X:
- Easy to use
- Simple and secure
- Lightweight and super fast
- Provides multiple form styles
- Customize just about everything
- Display the contact form anywhere
- Change the order of the form fields
- Send email to multiple recipients
- Complete documentation via Help tab
- Excellent free plugin support
“The famous spam filter SpamAssassin” scores CFX = zero spam!
For more details, check out the “Screenshots” section, below.
Form Fields
Easily choose which fields to display in the form. Each field may be set as required, optional, or disabled. Choose from these fields:
- Name
- Website
- Subject
- Custom Field
- Challenge Question
- Message
- Google reCaptcha (v2 or v3 Invisible)
- Carbon Copy
- Agree to Terms
You can change the order of these fields and customize their labels and placeholders, everything is super flexible.
For a live demo of Contact Form X, visit my contact page at Perishable Press. Note: the form at Perishable Press is highly customized with CSS, but all other functionality is the same. Feel free to send a test email to see how it works, I won’t mind 😉 Also check out CFX in the “Screenshots” section (below) for a better idea of how the default form is styled out of the box.
Privacy
To help protect user privacy, Contact Form X provides the following features:
- Agree to terms checkbox, customizable
- Choose which fields to include with the form
- Option to disable collection of user IP address and other data
- Note: this plugin uses cookies to enhance form functionality
Basically, this plugin enables visitors to send a message via contact form. Any information the user enters into the form will be sent directly to the recipient(s) according to plugin settings. When enabled in the plugin settings, details about each sent message will be stored in the WordPress database. Visit the “Advanced” plugin settings to control this and other data-collection features.
Note: This plugin provides an option to enable Google reCaptcha, which is provided by Google as a third-party service. For details on privacy and more, please refer to official documentation for Google reCaptcha.
CFX is developed and maintained by Jeff Starr, 10-year WordPress developer, security specialist, and book author.
Geeky Stuff
Lots of goodness for the geeks among us:
- Built with the WordPress API
- Ajax-powered form submission
- Remembers form data on error
- Google reCaptcha version 2
- NEW: Google reCaptcha version 3 (invisible)
- NEW: Drag/drop ordering of the form fields
- View your email messages on the WP Dashboard
- Option to enable/disable storing of email data in database
- Display form via widget, shortcode, or template tag
- Five CSS themes: Default, Classic, Micro, Synthetic, Dark
- Optionally collect user data like IP, host, and referrer
- Works perfectly with or without Gutenberg Block Editor
- Focused on performance, security, and usability
- Include extra form and user info with each message
- Customize the form’s success and error messages
- Provides plenty of useful hooks for developers
- Targeted loading of CSS and JavaScript assets
- One-click remove email data from database
- One-click restore default options
- Translation ready
Contact Form X is a fresh new, lighter alternative to the heavier contact forms out there. CFX is lightweight yet fully featured. As they say, “everything you want, nothing you don’t”.
Support development of this plugin
I develop and maintain this free plugin with love for the WordPress community. To show support, you can make a donation or purchase one of my books:
- The Tao of WordPress
- Digging into WordPress
- .htaccess made easy
- WordPress Themes In Depth
- Wizard’s SQL Recipes for WordPress
And/or purchase one of my premium WordPress plugins:
- BBQ Pro – Super fast WordPress firewall
- Blackhole Pro – Automatically block bad bots
- Banhammer Pro – Monitor traffic and ban the bad guys
- GA Google Analytics Pro – Connect WordPress to Google Analytics
- USP Pro – Unlimited front-end forms
Links, tweets and likes also appreciated. Thanks! 🙂
Installing the plugin
- Upload the plugin to your blog and activate
- Configure the plugin settings as desired
- Display the form on any post or page via shortcode:
[contactformx]
Visit the Help tab on the plugin settings page for complete documentation.
More info on installing WP plugins
Uninstalling
This plugin cleans up after itself. All plugin settings will be removed from your database when the plugin is uninstalled via the Plugins screen.
Note: uninstalling/deleting the plugin via the WP Plugins screen results in the removal of all settings and email data from the WP database.
Like the plugin?
If you like Contact Form X, please take a moment to give a 5-star rating. It helps to keep development and support going strong. Thank you!
What about the styles?
The plugin provides five form styles (themes): Default, Classic, Micro, Synthetic, and Dark.
The first three themes (Default, Classic, Micro) employ minimal, mostly structural styles. One of the benefits of using the minimal styles is that they allow your WordPress theme to set the form’s appearance. And that’s good because it helps keep your pages looking visually consistent across your site.
The last two themes (Synthetic, Dark) go much further with the stylings. The Synthetic and Dark styles will override any/most CSS applied via your WordPress theme. So if the contact form looks weird or whatever when trying Default, Classic, or Micro, try either Synthetic or Dark should do the trick.
What about targeted loading of assets?
Sure. By default, Contact Form X loads its assets (CSS and JavaScript) on every front-end page. So if you display a contact form in your sidebar, it will work on all pages.
Some sites prefer to have a “Contact” page, and then just display the contact form in one location. In this scenario, it doesn’t make sense to include plugin assets on every front-end page. So CFX provides a setting called “Targeted Loading” (under the Advanced tab). There you can enter the URL of the page that displays the contact form. That way, the plugin will know to load assets only on that page. This is an excellent way to help keep things optimized for performance and so forth.
How to change the button color?
In the plugin settings, visit the “Appearance” tab. There you will see the first option, “Form Style”. That tells you which styles are used for the form. So to change the button color, scroll down to locate the styles that you are using (e.g., Default, Classic, Micro, et al). To change the color of the submit button, add the following line to whichever styles you are using:
#cfx .cfx-button { background: red !important; }
Change the red
to whatever color you want. Can use hex values, rgba, or any valid CSS properties. Save changes and done.
Visit the Advanced tab and enable “Extra Email Info” option. Save changes and done.
How to defer or async loading of JavaScript?
The recommended way to defer or async load JavaScript is to use a trusted plugin, such as this one.
How to set maxlength on the Message textarea?
It is possible to set a maxlength
attribute on the Message field, a textarea. To do so, add the following code via (child) theme or custom plugin:
function contactformx_textarea_maxlength($chars) { return 500; }
add_filter('contactformx_textarea_maxlength', 'contactformx_textarea_maxlength');
You can adjust the number of characters by changing 500
to any number.
How to display the form shortcode inside a widget?
Enable the Advanced option, “Widget Shortcodes”. Save changes and done.
How to change the language for Google reCaptcha?
By default, the Google reCaptcha field is displayed in English. To change that to some other language, first locate the two-digit abbreviation for your language here. Then add the following code to your theme (or child theme) functions.php, or add via simple custom plugin:
function contactformx_recaptcha_querystring($query) { return 'en'; }
add_filter('contactformx_recaptcha_querystring', 'contactformx_recaptcha_querystring');
Notice where it says en
, that is the two-character language code you want to replace with your own. Then save changes and done.
How to remove or empty the old database table?
In CFX v1.9, sent emails optionally may be stored in the database as custom post types. Before CFX v1.9, email data was stored in its own/separate database table. So that means users who are upgrading from previous versions to 1.9 or better will have an unused email table in their database. It won’t hurt or affect anything, but you may want to empty or remove it to help save space.
Important: the following steps are for users of CFX v1.9+ who have upgraded from a previous version. Do NOT follow these steps if using CFX versions less than 1.9, OR if you never have used any version of CFX less than 1.9.
To empty the old/unused CFX database table:
- Log in to WordPress as admin-level user
- Create a new page and leave in Draft status
- Add
[contactformx_legacy_empty_table]
to the page - Preview the page on the frontend
- Click the link to Empty the CFX database table
- After seeing the success message, delete the draft page and shortcode
To remove the old/unused CFX database table:
- Log in to WordPress as admin-level user
- Create a new page and leave in Draft status
- Add
[contactformx_legacy_drop_table]
to the page - Preview the page on the frontend
- Click the link to Empty the CFX database table
- After seeing the success message, delete the draft page and shortcode
Using a temporary/draft page for the shortcode and then deleting it afterwards ensures that only YOU are making changes to the database. It is important to not display either of the above shortcodes publicly.
Got a question?
Send any questions or feedback via my contact form
Works great, feels fast and light.
This form plugin is way better than contact form 7. I have a feature request. Plz load the css and js only in the page where the shortcode is used. I know there is a manual option available for that. But not every people notices that and site speed becomes slower because of shitty recaptcha js file.
It just works, straight out of the box, and the emails go right to my inbox (not spam)! And it literally takes minutes to get it up and running! My old contact form stopped working (wasn’t developed anymore), and WPforms didn’t work (it only sent one test email to spam, then stopped working all together). Thank you so much Jeff!
Finally a good simple alternative. The only thing lacking is support for multiple forms and multilingual support
I was looking for a simple contact form, i found it. I like “Targeted Loading” option: the plugin assets are only loaded on one page, the page where the form is used. You need only to add the page link of the contact form. The plugin setup is very easy, and include all the options that should have a contact form. Thank you Jeff Starr for this plugin.
I love Contact Form X. It’s as simple as it gets, but it’s also possible to customise should you wish. If you’re having issues with form spam, this plugin will sort it. I’ve used it on multiple WP sites with great results. Thanks Jeff!
Read all 25 reviews
“Contact Form X” is open source software. The following people have contributed to this plugin.
Contributors
- Jeff Starr
If you like CFX, please take a moment to give a 5-star rating. It is super appreciated and really helps to keep plugin development going strong.
2.4.1 (2022/02/24)
- Improves security on plugin settings page (Thanks Vlad Ex.Mi)
- Generates new default translation template
- Tests on WordPress 5.9
2.4 (2022/01/08)
- Improves loading of translations
- Improves performance of plugin settings
- Updates some links to external resources
- Changes minimum required WP version to 4.6
- Tests on WordPress 5.9
2.3 (2021/07/12)
- Adds filter hook
contactformx_send_carbon_message
- Adds
.cfx-noscript-wrap
to<noscript>
- Improves CSS for Dashboard widget
- Improves CSS for success message
- Improves CSS for plugin settings
- Tests on WordPress 5.8
2.2.1 (2021/02/12)
- Fixes bug with Email Recipient settings (Thanks @mbrsolution)
- Tests on WordPress 5.7
2.2 (2021/02/08)
- Fixes
call_user_func()
expects parameter 1 to be valid callback - Adds filter hook
contactformx_recaptcha_querystring
- Tests on WordPress 5.7
2.1 (2020/11/08)
- Adds drag/drop ordering of form fields 🙂
- Adds option to enable display of shortcodes in widgets
- Adds option to display dashboard widget when user can
edit_post
- Adds filter hook
contactformx_textarea_maxlength
- Updates plugin script to account for changes in jQuery UI
- Simplifies enqueue logic for plugin settings page
- Improves form HTML and CSS for better validation
- Replaces
linear-gradient(top
withlinear-gradient(to bottom
- Updates Help tab information
- Updates default translation template
- Improves display of settings page
- Generates new default translation template
- Tests on PHP 7.4 and 8.0
- Tests on WordPress 5.6
2.0 (2020/07/31)
- Changes default “From” address to “[email protected]”
- Adds options to display success message without the reset button
- Fixes bug with fields not forgetting submitted values
- Fine tunes the CFX dashboard widget
- Updates contextual Help tab information
- Generates new default translation template
- Refines readme/documentation
- Tests on WordPress 5.5
1.9.2 (2020/06/08)
- Sets
exclude_from_search
totrue
- Tests on WordPress 5.4
1.9.1 (2020/03/11)
- Fixes bug where dates not showing on dashboard widget
- Tests on WordPress 5.4
1.9 (2020/03/08)
- Adds option to disable storing email info in database
- Replaces custom database table with custom post types
- Adds Google reCaptcha v3 (hidden reCaptcha)
- Updates Google reCaptcha version 2 library
- Improves “Email Message Extra” option name and description
- Improves sanitization of post data
- Improves security of form cookies
- Improves display of dashboard widget
- Improves default button styles
- Improves noscript display styles
- Adds legacy functions for database
- Fixes PHP warning for
contactformx_enqueue_resources_admin()
- Fixes incorrect URL for email icon
- Updates infos in the plugin Help tab
- Generates new default translation template
- Tests on WordPress 5.4
1.8 (2019/10/24)
- Updates styles for plugin settings page
- Improves logic of
contactformx_maybe_enqueue()
- Generates new default translation template
- Tests on WordPress 5.3
1.7 (2019/09/02)
- Fixes bug with non-admin users
- Fixes bug with default subject line
- Fixes bug with carbon copy reply-to address
- Adds support for autofill values on input fields
- Tweaks function
contactformx_enable_data()
- Improves targeted enqueue scripts functionality
- Renames
contactformx_send_headers
tocontactformx_mail_headers
- Generates new default translation template
- Fine-tunes display of plugin page
- Updates some links to https
- Tests on WordPress 5.3 (alpha)
1.6 (2019/04/28)
- Bumps minimum PHP version to 5.6.20
- Updates default translation template
- Tests on WordPress 5.2
1.5 (2019/03/04)
- Bumps minimum PHP version to 5.3
- Removes support for deprecated reCaptcha
- Adds responsive styles for mobile browsers
- Changes input type to email for email field
- Simplifies “Additional Information” display
- Bugfix: label and placeholder in reverse order
- Tweaks plugin settings screen UI
- Generates new default translation template
- Tests on WordPress 5.2 (alpha)
1.4 (2019/02/02)
- Just a version bump for compat with WP 5.1
- Full update coming soon 🙂
1.3 (2018/11/12)
- Adds homepage link to Plugins screen
- Adds option to display “powered by CFX”
- Improves display of CFX dashboard widget
- Improves logic of
contactformx_print_js_vars_admin
- Improves logic of
contactformx_maybe_enqueue
- Updates default translation template
- Tests on WordPress 5.0 (beta)
1.2 (2018/08/13)
- Tweaks styles on plugin settings page
- Replaces
wp_kses_post
withwp_strip_all_tags
for style settings - Adds
rel="noopener noreferrer"
to all blank-target links - Updates donate link
- Updates GDPR blurb
- Adds option to customize invalid-email error message
- Improves CSS for all form styles
- Improves CSS for Dashboard widget
- Adds “Rate Plugin” link to Advanced tab
- Updates value of
CONTACTFORMX_HOME
constant - Regenerates default translation template
- Further tests on WP versions 4.9 and 5.0 (alpha)
1.1 (2018/06/07)
- Changes required to host plugin at WordPress.org
1.0 (2018/06/05)
- Initial release