Collecting form submissions is valuable, but storing them inside WordPress also creates a high value target because entries often include names, emails, phone numbers, messages, and sometimes sensitive business context. Database Addon for Contact Form 7 version 1.3.5 has successfully completed the CleanTalk Plugin Security Certificationprocess and received PSC-2026-64611, confirming that the plugin was reviewed from a secure code perspective with attention to the most common exploitation paths for data capture and export plugins.
| Name of | Database Addon for Contact Form 7 – CFDB7 |
| Version | 1.3.5 |
| Downloads | 600 000+ |
| Description | The “CFDB7” plugin saves contact form 7 submissions to your WordPress database |
| Security | Successfully tested for: SQL Injection (SQLi) Cross-Site Scripting (XSS) – Stored & Reflected Cross-Site Request Forgery (CSRF) Authentication Vulnerabilities Authentication Bypass Exploits Privilege Escalation Buffer Overflow Denial-of-Service (DoS) vectors Data Leakage Vulnerabilities Insecure Dependency Usage Remote Code Execution (RCE) Risks Unauthorized File Access Insufficient Injection Protection Information Disclosure via Misconfigured Endpoints |
| CleanTalk Certification | Proudly earned the “Plugin Security Certification” (PSC) from CleanTalk, indicating adherence to stringent security standards. |
| Additional Information | Users can confidently manage age restrictions with the assurance of the “Plugin Security Certification” (PSC). Verify the latest details on the plugin developer’s website. |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Key Features
CFDB7 automatically saves Contact Form 7 submissions into the WordPress database without requiring configuration, which makes it operationally convenient and consistent across sites. It stores entries in a simplified structure and provides an admin interface to list captured submissions and manage form specific views. A key workflow is export, where administrators can export stored submissions to CSV, supporting reporting, backups, and offline processing. The plugin also includes utilities such as a form email testing tool, and it offers additional Pro oriented extensions like scheduled exports, advanced database mapping, external database connectivity, spreadsheet export, and file upload related add ons. From a security standpoint, these features are relevant because they touch the most sensitive surfaces in WordPress plugins, namely admin pages, database queries, file generation for exports, and optional file handling in extensions.
Security Assurance
The CleanTalk Plugin Security Certification evaluation focuses on defensive coding and safe behavior under realistic attacker models. For a database logging plugin, the risk profile is clear, attackers often try to extract stored submissions, inject malicious payloads into saved fields to trigger admin side execution, abuse export endpoints to download data, or exploit weak checks around form entry viewing to access other users data. The review validates that administrative functionality is restricted to appropriate roles and that access control is enforced consistently, not only in menus but also in the underlying handlers. It also checks that inputs that reach database queries are handled safely, that any HTML rendering of stored entries is output encoded to prevent stored XSS, and that state changing requests are protected to prevent CSRF. Because exports generate files and can include personal data, the review also considers leakage vectors such as unauthenticated download links, predictable filenames, directory traversal patterns, overly verbose logs, and unsafe exposure through endpoints
The plugin has been successfully tested for:
✅ Information Leakage Vulnerabilities
✅ SQL Injection Vulnerabilities
✅ Cross-Site Scripting (XSS) Attacks
✅ Cross-Site Request Forgery (CSRF) Attacks
✅ Authentication & Authentication Bypass Vulnerabilities
✅ Privilege Escalation Vulnerabilities
✅ Buffer Overflow Vulnerabilities
✅ Denial-of-Service (DoS) Vulnerabilities
✅ Data Leakage Vulnerabilities
✅ Insecure Dependencies
✅ Code Execution Vulnerabilities
✅ File Unauthorized Access Vulnerabilities
✅ Insufficient Injection Protection
Conclusion
With PSC-2026-64611, Database Addon for Contact Form 7 version 1.3.5 demonstrates strong baseline security for the workflows that matter most in form logging plugins, capturing submissions, presenting entries in wp admin, and exporting records. This certification helps site owners who need auditable submission storage reduce risk by choosing a solution that has been checked against common WordPress vulnerability classes. As a best practice, always keep access to stored entries limited to trusted roles, review who can export data, and apply a clear retention policy since stored submissions can become sensitive historical records over time.
Note: The date and certification information may change over time. It is advisable to verify the latest details on the plugin developer’s website.