Important Security Update — Easy Form Builder (v4.0.13+)

We have released an important security update for Easy Form Builder that strengthens the security of user registration and password recovery workflows.

This update focuses on improving the integrity of the most sensitive part of any WordPress site: user authentication and account management, including both regular users and site administrators.

⚠️ Required Action

If your website uses any of the following features:

  • User registration forms
  • Login / membership systems
  • Password reset (“Forgot Password”) functionality
  • Any workflow involving user accounts

You must update to version 4.0.13 or higher immediately.

Even if these features are not actively used, updating is still strongly recommended.

🔍 What Was Reviewed and Improved

During a security review of versions up to 4.0.11, we identified areas in the authentication flow that required additional hardening under specific conditions involving:

  • One-time login and recovery links
  • Password reset workflows
  • User verification requests

This was responsibly reported by an independent security researcher and was handled as a high-priority security improvement.

Importantly:

  • No evidence of widespread real-world exploitation has been observed
  • The issue required specific conditions to be triggered
  • The update fully resolves and strengthens these flows

🛡️ What Has Been Fixed in v4.0.13+

This release introduces a full security hardening of authentication-related systems:

✔ Strong cryptographic token generation

All recovery and registration links are now generated using secure, unpredictable methods.

✔ Single-use security enforcement

Every password reset or registration link is now:

  • Valid only once
  • Immediately invalidated after use

✔ Hardened request validation

Requests are now validated earlier in the process with stricter rules, reducing attack surface.

✔ Separation of authentication workflows

Registration and password recovery systems are now fully isolated and cannot be cross-used.

✔ Improved session and request integrity checks

Only properly issued and validated requests are processed by the system.

🧠 Security Impact

This update significantly improves protection across:

  • User accounts
  • Admin accounts (site administrators)
  • Authentication workflows
  • Registration and password recovery systems
  • Overall form security integrity

👤 Should You Be Concerned?

No.

This issue:

  • Required very specific conditions
  • Was responsibly reported and quickly fixed
  • Has no known active exploitation in real-world environments
  • Is fully resolved in version 4.0.12+

The only action required is updating the plugin.

📦 Who Should Update?

You should update if your website includes:

  • Membership or subscription systems
  • User login or registration
  • Password reset functionality
  • Any protected content requiring authentica

⬇️ How to Update

Update via:

🔄 Ongoing Security Commitment

Security is a continuous process, not a one-time fix.

We are actively improving:

  • Authentication flows
  • Form submission validation
  • System-level security architecture
  • Future AI-assisted anomaly detection

for Easy Form Builder to ensure long-term resilience and safety.

This update strengthens the security foundation of your website without changing how the plugin works.

We strongly recommend updating to version 4.0.13 or higher as soon as possible.