MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor (v4.1.3) is a powerful drag-and-drop form builder plugin designed to extend Elementor with advanced form creation capabilities. It allows users to build complex forms such as contact forms, surveys, booking forms, payment forms, and more without writing code.

Built for websites running on WordPress, MetForm integrates deeply into both frontend and backend workflows, handling user input, data storage, AJAX submissions, file uploads, and third-party integrations.

With over 600,000+ active installations, the plugin operates in a highly sensitive layer of application logic, making security a critical factor. A comprehensive source-code audit was conducted to evaluate its safety.

Name of	MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor
Version	4.1.3
Active installations	600.000
Description	Advanced Elementor-based form builder with secure input handling, AJAX processing, and certified code integrity (PSC-2026-64642)
Security	Successfully tested for: SQL Injection (SQLi) Cross-Site Scripting (XSS) – Stored & Reflected Cross-Site Request Forgery (CSRF) Authentication Vulnerabilities Authentication Bypass Exploits Privilege Escalation Buffer Overflow Denial-of-Service (DoS) vectors Data Leakage Vulnerabilities Insecure Dependency Usage Remote Code Execution (RCE) Risks Unauthorized File Access Insufficient Injection Protection Information Disclosure via Misconfigured Endpoints
CleanTalk Certification	Proudly earned the “Plugin Security Certification” (PSC) from CleanTalk, indicating adherence to stringent security standards.
Additional Information	Site owners can apply caching and performance optimizations with the assurance of the “Plugin Security Certification” (PSC). As a best practice, restrict optimization and cache controls to trusted administrators, validate exclusions for stateful paths (checkout, account, login), and test aggressive settings on staging before enabling them on production.
Plugin Security Certification by CleanTalk
Logo of the plugin

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.

Get Plugin Security Certificate

PSC by Cleantalk

Key Features

MetForm provides a full-featured form-building ecosystem:

• Drag-and-drop form builder (Elementor-based)
• 40+ input field types (text, email, file upload, payment, signature, etc.)
• AJAX form submission (no page reload)
• Multi-step and conditional logic forms
• File upload support (local, Dropbox, Google Drive links)
• reCAPTCHA integration for spam protection
• Admin notifications and user confirmation emails
• Data storage in WordPress admin panel
• Export entries (CSV, Google Sheets)
• HubSpot and Mailchimp integration
• Redirect after submission
• Entry limits and validation rules
• Shortcode support for flexible embedding

The plugin processes user-generated data extensively, making secure input handling essential.

Security Assurance

The CleanTalk Plugin Security Certification evaluation for performance and caching plugins focuses on attacker models that target configuration integrity, availability, and information exposure. Common abuse patterns include forcing state changes via CSRF against administrators (purge cache, change caching mode, alter optimization flags), abusing weak capability checks to let lower-privileged roles reach optimization controls, and probing handlers for information disclosure such as environment diagnostics, cache status, or internal identifiers. Because caching and optimization may write files and generate derived artifacts, the review also considers safe file and path handling, conservative endpoint exposure, and safe output encoding in wp-admin screens to reduce XSS risk. The review validates consistent capability checks at the handler level, nonce and CSRF protections for state-changing operations, safe handling of user-controlled inputs, and error handling that avoids leaking operational details unnecessarily.

The plugin has been successfully tested for:

✅ Information Leakage Vulnerabilities

✅ SQL Injection Vulnerabilities

✅ Cross-Site Scripting (XSS) Attacks

✅ Cross-Site Request Forgery (CSRF) Attacks

✅ Authentication & Authentication Bypass Vulnerabilities

✅ Privilege Escalation Vulnerabilities

✅ Buffer Overflow Vulnerabilities

✅ Denial-of-Service (DoS) Vulnerabilities

✅ Data Leakage Vulnerabilities

✅ Insecure Dependencies

✅ Code Execution Vulnerabilities

✅ File Unauthorized Access Vulnerabilities

✅ Insufficient Injection Protection

Conclusion

MetForm – Contact Form Builder (v4.1.3) is a feature-rich and security-conscious solution for building advanced forms within Elementor. Its architecture ensures safe handling of user data, secure file uploads, and controlled integration with external services.

The awarded Plugin Security Certificate PSC-2026-64642 confirms that the plugin meets modern security standards and is safe for deployment in production environments.

For developers, businesses, and agencies requiring flexible form-building capabilities without compromising security, MetForm offers a certified and reliable solution.

Note: The date and certification information may change over time. It is advisable to verify the latest details on the plugin developer’s website.